CISA has added CVE-2026-58644 to its Known Exploited Vulnerabilities catalog, requiring federal civilian agencies to apply patches by July 19. The critical vulnerability carries a CVSS score of 9.8 and allows remote code execution through deserialization of untrusted data.
An attacker authenticated as at least a Site Owner can exploit the flaw to write and execute arbitrary code remotely on a SharePoint Server. Microsoft has since revised its advisory to confirm that the vulnerability was exploited in the wild as a zero-day prior to the July 14 Patch Tuesday release.
CISA’s warning extends beyond this single CVE. The agency flagged active exploitation of three additional SharePoint vulnerabilities — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — which could enable unauthorized access to on-premises SharePoint instances.
The wide attack surface is compounded by the end of extended support for SharePoint Server 2016 and 2019, which coincides with this month’s patch cycle. Organizations running self-hosted SharePoint are urged to prioritize updates and enable AMSI in full mode as an additional defense layer.
