CISA has added CVE-2026-58644 to the Known Exploited Vulnerabilities catalog after active exploitation of Microsoft SharePoint Server was reported. The vulnerability is a critical deserialization issue affecting supported on-premises SharePoint Server versions, including Subscription Edition, 2019, and 2016. Microsoft’s advisory describes a network-based path to remote code execution, and CISA’s guidance ties the broader SharePoint exploitation activity to post-exploitation behaviors like IIS machine-key theft, deserialization abuse, persistence, and malware deployment.

For SMBs and government contractors, this is not just another patch item. SharePoint often sits at the intersection of internal documents, partner access, project artifacts, controlled unclassified information workflows, and identity-integrated collaboration. If an attacker gets code execution on an exposed SharePoint server, the blast radius can extend beyond one web application into file stores, service accounts, authentication material, and lateral movement paths.

What changed

The key development is the KEV listing and the accelerated remediation clock. CISA’s July 16 alert added CVE-2026-58644 alongside two FortiSandbox flaws, based on evidence of active exploitation. CISA set a July 19, 2026 remediation due date for federal civilian agencies, but the guidance is useful for any organization running internet-reachable or partner-facing SharePoint.

CISA also warned that recent SharePoint exploitation activity includes CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644. That matters because defenders should not treat this as a single-CVE checklist. The operational pattern is a SharePoint compromise chain: gain access, execute code, harvest protected IIS secrets, maintain persistence, and use the server as a foothold.

Why this matters

SharePoint servers are attractive because they are document-rich, identity-connected, and frequently trusted by the rest of the environment. They also tend to be treated like “business apps” instead of tiered infrastructure. That creates a dangerous gap: a server holding sensitive content and authentication material may not receive the same segmentation, logging, and incident-response attention as a domain controller or VPN appliance.

The machine-key angle is especially important. If attackers steal IIS machine keys or other protected secrets before defenders rotate them, they may be able to keep exploiting trust relationships after a patch is installed. That is why CISA specifically recommends hunting for intrusion artifacts before rotating keys. Patch-first is necessary, but patch-only may leave a persistence problem behind.

Defensive priorities for SharePoint owners

  • Patch and verify installation. Apply the latest Microsoft SharePoint security updates and confirm the build numbers actually changed across every front-end and application server.
  • Hunt before rotating secrets. Review for webshells, suspicious worker-process activity, unusual requests, machine-key access, and post-exploitation tooling before rotating IIS machine keys.
  • Enable AMSI integration. CISA recommends verifying AMSI integration for each SharePoint web application and using full request-body scanning where feasible.
  • Reduce external exposure. Do not leave SharePoint directly exposed to the internet unless there is a hard business requirement. If exposure is required, put it behind an authenticated Layer 7 reverse proxy or equivalent application-layer control.
  • Lock down Central Administration. Block external access, restrict farm and database communications to required systems, and review SharePoint-specific port and web.config hardening guidance.
  • Preserve logs now. Pull IIS logs, SharePoint ULS logs, Windows event logs, EDR telemetry, and reverse-proxy/WAF logs before retention windows roll over.

Bulwark Black assessment

This is the kind of vulnerability that should move from “monthly patch cycle” to “incident-response posture.” If your organization runs on-premises SharePoint and it has been internet-accessible, assume the question is not only whether the server is patched, but whether it was touched before the patch landed.

For government contractors, the practical move is to treat SharePoint like part of the sensitive collaboration control plane. Map where CUI, proposal material, contract documents, credentials, backups, and service accounts intersect with SharePoint. Then prioritize hardening and logging around those paths. A compromised collaboration server can become both a data-theft platform and a launchpad into the rest of the environment.

Original source: The Hacker News — CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV. Additional references: CISA SharePoint hardening alert, CISA KEV addition notice, and Microsoft MSRC CVE-2026-58644 advisory.