On July 16, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-58644, a critical vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the vulnerability has been actively exploited in the wild as a zero-day. The flaw is a deserialization of untrusted data with a CVSS score of 9.8, enabling an authenticated attacker to achieve remote code execution (RCE). Microsoft SharePoint Server is a common target for threat actors, and this flaw provides a direct path to server compromise. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the patch by July 19, 2026. All organizations are strongly advised to prioritize patching and investigate for potential compromise.
CVE-2026-58644The vulnerability allows an attacker who has already gained Site Owner-level privileges on a SharePoint site to inject and execute arbitrary code on the underlying server. While the attack requires prior authentication, the privileges needed are commonly held by departmental administrators or power users, not just server administrators. This makes the attack feasible once an initial foothold is gained through other means like phishing. The attack complexity is low.
The vulnerability affects the following on-premises Microsoft SharePoint Server versions:
SharePoint Online is not affected.
Microsoft confirmed that CVE-2026-58644 was exploited as a zero-day before the patch was released on July 14, 2026. CISA's addition to the KEV catalog on July 16 reinforces the urgency. Threat actors are known to chain SharePoint vulnerabilities for post-exploitation activities. CISA noted that this flaw, along with others like CVE-2026-56164, is being used to steal IIS machine keys for further access and to deploy malware for persistence, such as web shells. This indicates that the exploit is being used by sophisticated actors for sustained access.
Successful exploitation of CVE-2026-58644 leads to full remote code execution on the SharePoint server, with severe potential impacts:
T1505.003 - Web Shell.No specific file hashes, domains, or IP addresses were provided in the source articles for use as IOCs.
The following patterns may help identify vulnerable or compromised systems:
process_namew3wp.execmd.exe, powershell.exe) or making unusual network connections.file_pathC:\inetpub\wwwroot\wss\VirtualDirectories\.aspx, .ashx, or .asmx files, which could be web shells.event_id4688log_sourceSharePoint ULS Logs.aspx or other web-executable files. Use D3-FA: File Analysis to check for common web shell signatures and characteristics.w3wp.exe process initiates suspicious child processes like powershell.exe, cmd.exe, whoami.exe, or net.exe. This is a strong indicator of RCE.Applying the security update from Microsoft is the primary method to remediate the vulnerability.
Mapped D3FEND Techniques:
Using EDR and AMSI to detect and block malicious behaviors, such as a web server process spawning a command shell, can prevent exploitation.
Hardening file permissions on web directories can make it more difficult for attackers to write and execute web shells.
Mapped D3FEND Techniques:
Auditing and limiting the number of accounts with 'Site Owner' privileges reduces the attack surface.
The most effective and urgent countermeasure against CVE-2026-58644 is to apply the July 2026 security update from Microsoft. Since this was exploited as a zero-day and is now in CISA's KEV catalog, patching cannot be deferred. Organizations must activate their emergency patching protocols for all on-premises SharePoint Server instances (Subscription Edition, 2019, and 2016). Prioritize internet-facing servers first, then internal production servers. Use vulnerability management tools to confirm the patch status of all assets post-deployment. Given that attackers are actively using this for RCE, the risk of remaining unpatched is severe and far outweighs the risk of a typical patch deployment. This action directly closes the deserialization vulnerability, preventing attackers from gaining code execution through this vector.
As a critical detection and response measure, security teams must implement D3-PA (Process Analysis) focused on the SharePoint server's IIS worker process, w3wp.exe. Configure EDR solutions and SIEM rules to generate high-severity alerts when w3wp.exe spawns anomalous child processes, particularly command-line interpreters like cmd.exe and powershell.exe, or reconnaissance tools like whoami.exe and net.exe. This is a classic indicator of web application compromise and RCE. Establish a baseline of normal process behavior for your SharePoint environment, as some legitimate administrative tasks might spawn processes. However, any interactive shells or unexpected outbound network connections from w3wp.exe should be treated as a likely compromise. This technique is vital for detecting active exploitation on servers before patches can be applied, or for identifying a compromise that may have occurred prior to patching.
Microsoft releases its July Patch Tuesday update, including a patch for CVE-2026-58644.
Microsoft revises its advisory to confirm CVE-2026-58644 was exploited as a zero-day. CISA adds the CVE to its KEV catalog.
CISA's deadline for U.S. federal agencies to patch the vulnerability.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.