0 Comments

Introduction

In a month already record-breaking for its volume of security disclosures, one vulnerability has emerged as a particularly severe threat to enterprise infrastructure. CVE-2026-58644 is a critical Remote Code Execution (RCE) vulnerability affecting Microsoft SharePoint Server. Rated with a near-perfect CVSS score of 9.8, this flaw has been confirmed by the Cybersecurity and Infrastructure Security Agency (CISA) to be under active exploitation in the wild, earning it a priority spot in the Known Exploited Vulnerabilities (KEV) catalog as of July 16, 2026.

What is CVE-2026-58644?

CVE-2026-58644 is a “deserialization of untrusted data” vulnerability, a class of security flaw that occurs when an application processes a malicious serialized object without sufficient validation. In the case of SharePoint, the server fails to properly sanitize objects received from network-accessible endpoints. An unauthenticated attacker can exploit this by sending a specially crafted request to a vulnerable SharePoint instance, triggering the deserialization process and forcing the server to execute arbitrary code. Because the attack can be launched remotely without any user interaction and has low complexity, it presents an ideal target for both sophisticated state-sponsored actors and opportunistic cybercriminals.

Affected Systems and Scale

The reach of this vulnerability is extensive, impacting all major on-premises deployments of Microsoft SharePoint Server that haven’t yet applied the July 2026 monthly security updates. The following versions are explicitly confirmed to be affected:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition

Organizations using these versions must assume they are at risk, especially if their SharePoint instances are reachable over the internet or accessible from untrusted segments of the corporate network.

Impact and Real-World Exploitation

The potential impact of a successful exploitation is catastrophic. Once the malicious code is executed, the attacker effectively gains the permissions of the SharePoint service account—which often has administrative control over the server. This allows for full system compromise, the theft of sensitive enterprise data stored within SharePoint libraries, and the deployment of ransomware or persistence mechanisms. Reports from security researchers indicate that threat actors are using CVE-2026-58644 to harvest Internet Information Services (IIS) machine keys. By obtaining these keys, attackers can maintain persistence through various deserialization techniques, even if the primary vulnerability is later patched but the keys aren’t rotated.

Mitigation and Patching Steps

Given that this vulnerability is being actively exploited, immediate action is required. Organizations should follow this remediation roadmap:

1. Apply Security Updates Immediately

Install the official security patches released by Microsoft on July 14, 2026. These updates correct the way SharePoint handles serialized data, effectively closing the vulnerability. Ensure that the patch status is verified after installation to confirm that all server roles have been updated correctly.

2. Harden SharePoint Environments

CISA and Microsoft recommend several hardening measures to reduce the attack surface. First, ensure that Antimalware Scan Interface (AMSI) integration is enabled for all SharePoint web applications. Setting the Request Body Scan Mode to “Full” can help detect and block the malicious payloads used in these attacks. Furthermore, SharePoint Central Administration and database communications should be restricted to internal, authorized systems only.

3. Post-Exploitation Remediation (Rotate Machine Keys)

Even after patching, your environment may still be compromised if keys were stolen during the zero-day window. Following a successful patch, organizations should scan for intrusion artifacts (such as web shells or harvester tools) and then rotate all IIS machine keys. Rotating keys will invalidate any persistent access attackers may have gained via the stolen keys.

4. Network Security Best Practices

Avoid exposing SharePoint servers directly to the public internet. If external access is necessary, it should be mediated by a Layer 7 reverse proxy or a Web Application Firewall (WAF) that requires multi-factor authentication and performs deep packet inspection to filter out suspicious traffic.

Conclusion

CVE-2026-58644 highlights the continued risk posed by deserialization flaws in complex enterprise platforms. The fact that it was weaponized as a zero-day underscores the importance of a rapid, risk-based patching cycle. Administrators should treat this as a high-priority incident and move to secure their SharePoint environments immediately to prevent data loss and unauthorized access.

Related Posts