CISA Adds SharePoint CVE-2026-58644 to KEV After Zero-Day Confirmed

CISA added SharePoint CVE-2026-58644, a CVSS 9.8 deserialization flaw, to KEV after Microsoft confirmed zero-day exploitation. Federal deadline is July 19.
Table of Contents
    Add a header to begin generating the table of contents

    CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities catalog on July 17, 2026, after Microsoft revised its security advisory to confirm that the critical SharePoint Server deserialization vulnerability had been actively exploited before Patch Tuesday patches became available — formally reclassifying it as a zero-day at the time of release.

    CVE-2026-58644: A CVSS 9.8 SharePoint Zero-Day Confirmed After Initial Advisory Underassessed It

    CVE-2026-58644 is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server carrying a CVSS score of 9.8. An authenticated attacker with Site Owner permissions or higher can write arbitrary code to and execute it remotely on the affected SharePoint Server. The vulnerability affects all on-premises SharePoint Server versions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise Server.

    Microsoft initially assessed the vulnerability as not actively exploited at the time of its July 14, 2026 Patch Tuesday release. The advisory revision — confirming that exploitation had been detected before patches were available — is a material change: it reclassifies CVE-2026-58644 from a newly patched vulnerability to a confirmed zero-day. Attackers had working exploits for this CVSS 9.8 flaw while no patch existed anywhere in the world.

    How CVE-2026-58644 Expands the Confirmed SharePoint Exploitation Campaign

    CVE-2026-58644 was patched on July 14 alongside three other SharePoint vulnerabilities — CVE-2026-32201, CVE-2026-56164, and CVE-2026-45659 — all of which CISA had already confirmed as actively exploited in a chained attack sequence by July 15. CVE-2026-58644 was the one outlier in that July 14 patch set that initially appeared unconfirmed for in-the-wild exploitation. The July 17 KEV addition closes that gap.

    CISA’s July 15 KEV additions covered the three-CVE SharePoint chain. CVE-2026-58644 now joins as a fourth SharePoint vulnerability confirmed exploited within the same campaign window. The expansion of confirmed exploited CVEs against a single product within 48 hours indicates that the threat actors targeting on-premises SharePoint installations deployed multiple distinct exploitation techniques against the platform rather than relying on a single attack vector.

    Federal Patch Mandate and the 10,000-Server Exposure Window

    Under CISA’s Binding Operational Directive 26-04, Federal Civilian Executive Branch agencies must apply the available patches or disconnect affected SharePoint servers by July 19, 2026 — a 48-hour remediation window from CISA’s July 17 KEV addition.

    The Shadowserver Foundation tracks approximately 10,000 internet-exposed SharePoint Server instances globally. Organizations running on-premises SharePoint Server — as opposed to SharePoint Online within Microsoft 365 — are the affected population; SharePoint Online customers are not impacted by this vulnerability class. Those 10,000 exposed instances represent the enterprise document repositories, intranet portals, and workflow systems of organizations that chose on-premises SharePoint deployments for data sovereignty or compliance reasons.

    Microsoft’s Advisory Revision Signals Pre-Patch Exploitation Window

    The revision of Microsoft’s advisory from “no known exploitation” to “exploitation detected before patches were available” is itself a significant development. Advisory revisions of this kind indicate that Microsoft’s threat intelligence team — or information shared by external researchers or government partners — detected active exploit traffic targeting CVE-2026-58644 in the period between vulnerability discovery and the July 14 patch release. The gap between exploitation and patch availability is the zero-day window, and CISA’s KEV addition confirms that window existed and was actively used against real targets.

    SharePoint Server occupies a central position in enterprise document management and collaboration workflows. Unauthorized code execution on a SharePoint server provides access to organizational documents across departments, user credential data, and workflows connected to other business systems. The severity of unauthorized access scales with the breadth of documents and workflows a SharePoint deployment hosts — in large organizations and government agencies, the SharePoint server functions as an organizational knowledge base spanning departments.

    The confirmation of zero-day exploitation status for CVE-2026-58644, combined with the July 19 federal patch mandate, reflects CISA’s assessment that active attacks on SharePoint installations are ongoing and present an immediate threat to both federal networks and the wider population of on-premises SharePoint deployments globally.

    Related Posts