// 1 CRITICAL · 2 ZERO-DAY · 6 CVE · 3 EXPLOIT IN THE LAST 24H
Microsoft confirmed active exploitation of CVE-2026-58644 in SharePoint Server on-premises. CISA added the flaw to the KEV catalog with a July 19, 2026 patch deadline. Detection currently relies solely on host-based controls, as no network-based IOCs are available.

Microsoft published the advisory for CVE-2026-58644 on July 14, 2026, a deserialization-of-untrusted-data vulnerability in SharePoint Server on-premises carrying a CVSS score of 9.8. Two days later, CISA entered the flaw into the KEV catalog with a fixed due date of July 19, 2026. The window is exceptionally narrow and passive defenses are limited: at the time of Rapid7's analysis publication, no network-based IOCs exist, shifting the entire detection burden to host-based controls.

Key Takeaways
  • CVE-2026-58644 affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition with unauthenticated network RCE.
  • Microsoft confirmed active exploitation ("Exploitation Detected"); CISA added the flaw to the KEV catalog on July 16, 2026 with a patch deadline of July 19, 2026.
  • No publicly available network-based IOCs (IPs, domains, URLs) have emerged; detection centers on AMSI signatures and Microsoft Defender for Endpoint.
  • CISA recommends against exposing SharePoint directly to the internet and advises placing a Layer 7 reverse proxy upstream of the infrastructure.

A Deserialization Chain Requiring No Credentials

The vulnerability falls under CWE-502, deserialization of untrusted data. According to the NVD entry, curated by Microsoft as CNA, the flaw allows an unauthenticated attacker to execute arbitrary code over the network. The CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H vector confirms the absence of authentication prerequisites and low attack complexity.

A point of caution emerges from the MSRC advisory, where a section describes the exploitability scenario as "authenticated as at least a Site Owner." This wording does not immediately reconcile with the CVSS vector indicating an unauthenticated attacker. The dossier does not clarify whether this refers to alternative vectors or post-compromise phases. At present, primary sources agree in classifying the vulnerability as unauthenticated RCE, with Microsoft having activated the "Exploited Yes" flag on its platform.

Patched versions are documented in the NVD CPE: 16.0.19725.20434 for SharePoint Server Subscription Edition, 16.0.5556.1005 for SharePoint Enterprise Server 2016, and 16.0.10417.20153 for SharePoint Server 2019. Microsoft released the updates on July 14, 2026, making the patch available for three days as of the CISA deadline.

Active Exploitation Without Network Traces

Confirmation of active exploitation comes from convergent sources. Microsoft marked the flaw as "Exploitation Detected"; CISA entered CVE-2026-58644 into the KEV catalog with exploitation:active in SSVC scoring; the CISA alert of July 14, 2026 describes "active exploitation" of multiple SharePoint vulnerabilities, including the one at hand.

Nevertheless, Rapid7's analysis explicitly notes the absence of network-based indicators of compromise at the time of publication. This gap has concrete operational consequences: security teams cannot tune firewall, proxy, or IDS rules on specific malicious traffic signatures. The only documented detection path runs through AMSI (Antimalware Scan Interface) and Microsoft Defender.

"Microsoft confirmed active exploitation of CVE-2026-58644, and the vulnerability was subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 16, 2026" — Rapid7 analysis

The CISA alert lists three specific AMSI signatures: Exploit:Script/SuspSignoutReqBody.A, Exploit:Script/ToolPaneAuthBypass.A, and Exploit:Script/ToolPaneAuthBypass.C. For Microsoft Defender, the detection Backdoor:MSIL/LeakFang.A!dha is documented. These signatures provide a technical anchor for teams managing protected endpoints, but do not extend visibility to systems without Defender enabled or those operating in environments with third-party EDR solutions.

Immediate Actions

  • Apply the July 14, 2026 security updates for all affected versions of SharePoint Server on-premises by July 19, 2026, the CISA BOD 26-04 compliance date.
  • Verify the presence in your environment of the AMSI signatures Exploit:Script/SuspSignoutReqBody.A, Exploit:Script/ToolPaneAuthBypass.A, Exploit:Script/ToolPaneAuthBypass.C and the Defender detection Backdoor:MSIL/LeakFang.A!dha, documenting any matches.
  • Remove direct internet exposure of SharePoint Server, placing a Layer 7 reverse proxy upstream of the infrastructure per CISA recommendation.
  • Audit IIS configurations and machine keys: documented exploitation includes theft of keys for view state manipulation, a prerequisite for persistence via webshell.

CISA Pressure and the Visibility Problem

The three-day due date imposed by CISA is exceptionally compressed even by KEV catalog standards. The federal agency does not specify the rationale for this speed in the extracted content, but the combination of unauthenticated RCE, confirmed active exploitation, and SharePoint's ubiquity in enterprise environments justifies the priority. BOD 26-04 mandates U.S. federal agencies apply the patch by the deadline; for the private sector, the due date serves as a benchmark of responsibility in potential post-breach disputes.

The critical point remains the information asymmetry. Active adversaries already possess a working exploit chain; defenders, lacking network-based IOCs, must rely on host controls that cover only endpoints where Defender is installed and correctly configured. Organizations with heterogeneous EDR solutions or coverage gaps on SharePoint servers operate with a structural handicap.

Why Post-Exploitation Changes the Stakes

Even where the patch arrives in time, risk assessment does not end with closing the initial vulnerability. The dossier documents that exploitation includes theft of IIS machine keys, usable for view state manipulation. This mechanism opens two subsequent scenarios: webshell deployment for persistent access and installation of additional malware. Once obtained, persistence makes containment more complex than simply applying the update.

The dossier does not specify the nature of targeted data in case of compromise, nor does it document ransomware campaigns associated with this CVE. The CISA KEV catalog reports "Unknown" for ransomware campaigns. No infrastructure overlap emerges linking the exploitation activity to a known threat actor or documented campaign.

Architecture as the Last Line of Defense

CISA's recommendation to isolate SharePoint behind a Layer 7 reverse proxy is not a vulnerability mitigation, but an attack surface reduction. The proxy does not filter the deserialization payload itself — the vulnerability remains exploitable by anyone reaching the endpoint — but introduces a control point for logging, rate limiting, and potentially application-content inspection. Absent a timely patch, this architecture at least provides delayed detection and an auditable trail missing in direct exposure.

The tension between urgency and visibility defines the operational context for the next 48 hours. Organizations with exposed SharePoint on-premises must operate on the assumption that the adversary is already present or operating near the network. The patch is a necessary but insufficient condition: the verifier is host control, and host control has the documented limits.

FAQ

Is SharePoint Online affected by this vulnerability?
No. The flaw affects only on-premises editions: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. SharePoint Online, managed by Microsoft in the cloud, is not among the affected products.
Why did CISA allow only three days?
CISA has not published a detailed rationale in the extracted content. The combination of unauthenticated RCE, confirmed active exploitation, and SharePoint's prevalence in sensitive enterprise environments justifies the operational priority.
What is the "authenticated as Site Owner" discrepancy noted in the MSRC advisory?
A section of the Microsoft advisory describes the exploitability scenario as requiring authentication as a Site Owner, while the CVSS vector and primary sources indicate an unauthenticated attacker. The dossier does not resolve this incongruity; it may refer to alternative vectors or later attack phases.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. rapid7.com
  2. nvd.nist.gov
  3. msrc.microsoft.com
  4. cisa.gov