CISA Adds Critical SharePoint Server Flaw to KEV Catalog Amid Active Exploitation Warnings
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a stark warning regarding active exploitation of several vulnerabilities impacting **Microsoft SharePoint Server**, adding a critical deserialization flaw, **CVE-2026-58644**, to its Known Exploited Vulnerabilities (**KEV**) catalog. Federal agencies are mandated to apply patches by July 19, 2026, as threat actors are actively leveraging these weaknesses to gain unauthorized access and deploy malware.
The **CISA** on Thursday officially included a newly patched security flaw affecting **Microsoft SharePoint Server** in its **KEV** catalog. This move requires Federal Civilian Executive Branch (**FCEB**) agencies to implement the necessary fixes by July 19, 2026.
### Critical SharePoint Vulnerability: CVE-2026-58644
The vulnerability in question is **CVE-2026-58644** (CVSS score: 9.8), a critical deserialization of untrusted data vulnerability. This flaw allows an authenticated attacker to execute arbitrary code remotely.
**Microsoft** elaborated in an advisory that "In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server."

**Redmond** highlighted that the vulnerability is remotely exploitable over the internet, noting the low attack complexity due to two factors:
* An attacker does not require significant prior knowledge of the system.
* An attacker can achieve repeatable success with the payload against the vulnerable component.
This vulnerability impacts several **SharePoint Server** versions:
* **Microsoft SharePoint Server Subscription Edition**
* **Microsoft SharePoint Server 2019**
* **Microsoft SharePoint Enterprise Server 2016**
Patches for **CVE-2026-58644** were released as part of the Patch Tuesday updates on July 14, 2026. **Microsoft** has since updated its bulletin, confirming that **CVE-2026-58644** has been actively exploited in the wild, indicating its weaponization as a zero-day before fixes were available.
### Broader SharePoint Exploitation Warnings
This development aligns with **CISA's** earlier warnings about active exploitation of multiple **SharePoint Server** vulnerabilities. These include **CVE-2026-32201**, **CVE-2026-45659**, **CVE-2026-56164**, and **CVE-2026-58644**, all of which could allow threat actors to gain unauthorized access to on-premises instances.
The federal cybersecurity watchdog stated, "These vulnerabilities affect all supported on-premises **SharePoint Server** versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (**RCE**) and post-exploitation activities, such as stealing Internet Information Services (**IIS**) machine keys and performing deserialization techniques, to gain persistence and deploy malware."
### CISA's Hardening Recommendations
To mitigate the threat, **CISA** has outlined crucial hardening measures:
* Apply the latest patches and security updates from **Microsoft**, verify successful installation, and shorten patching cycles.
* Verify that Antimalware Scan Interface (**AMSI**) integration is enabled for each **SharePoint** web application.
* Scan for and remove intrusion artifacts, including machine key harvesting tools, before rotating **IIS** machine keys.
* Establish tailored logging mechanisms to detect and monitor exploitation activities.
* Avoid exposing **SharePoint Servers** directly to the internet unless absolutely necessary.
* Block external access to **SharePoint Central Administration**, restrict farm and database communications to required systems, and review **Microsoft's SharePoint Server** security-hardening guidance for role-specific ports, services, and Web.config settings.
### Additional KEV Catalog Additions
In a related move, **CISA** also added two critical security flaws impacting **Fortinet FortiSandbox** (**CVE-2026-25089** and **CVE-2026-39808**) to the **KEV** catalog. This follows reports of active exploitation, with federal agencies given until July 19, 2026, to update their instances.