CISA Adds SharePoint RCE CVE-2026-58644 to KEV Catalog

CISA KEV Alert: SharePoint RCE zero-day exploited in the wild

CRITICAL
July 17, 2026
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities

Organizations

CVE Identifiers

CVE-2026-58644
CRITICAL
CVSS:9.8

Full Report

Executive Summary

On July 16, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-58644, a critical vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the vulnerability has been actively exploited in the wild as a zero-day. The flaw is a deserialization of untrusted data with a CVSS score of 9.8, enabling an authenticated attacker to achieve remote code execution (RCE). Microsoft SharePoint Server is a common target for threat actors, and this flaw provides a direct path to server compromise. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the patch by July 19, 2026. All organizations are strongly advised to prioritize patching and investigate for potential compromise.

Vulnerability Details

  • CVE ID: CVE-2026-58644
  • Severity: Critical
  • CVSS Score: 9.8
  • Vulnerability Type: Deserialization of Untrusted Data
  • Attack Vector: Network
  • Prerequisites: Attacker must be authenticated with "Site Owner" privileges.

The vulnerability allows an attacker who has already gained Site Owner-level privileges on a SharePoint site to inject and execute arbitrary code on the underlying server. While the attack requires prior authentication, the privileges needed are commonly held by departmental administrators or power users, not just server administrators. This makes the attack feasible once an initial foothold is gained through other means like phishing. The attack complexity is low.

Affected Systems

The vulnerability affects the following on-premises Microsoft SharePoint Server versions:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016

SharePoint Online is not affected.

Exploitation Status

Microsoft confirmed that CVE-2026-58644 was exploited as a zero-day before the patch was released on July 14, 2026. CISA's addition to the KEV catalog on July 16 reinforces the urgency. Threat actors are known to chain SharePoint vulnerabilities for post-exploitation activities. CISA noted that this flaw, along with others like CVE-2026-56164, is being used to steal IIS machine keys for further access and to deploy malware for persistence, such as web shells. This indicates that the exploit is being used by sophisticated actors for sustained access.

Impact Assessment

Successful exploitation of CVE-2026-58644 leads to full remote code execution on the SharePoint server, with severe potential impacts:

  • Server Compromise: Attackers gain control of the server, allowing them to install malware, including ransomware or backdoors like T1505.003 - Web Shell.
  • Data Exfiltration: Access to all data stored on the SharePoint server, including sensitive corporate documents, intellectual property, and personal information.
  • Lateral Movement: The compromised SharePoint server can be used as a pivot point to move laterally within the corporate network, escalating the breach.
  • Persistence: Attackers can establish long-term persistence by stealing IIS machine keys or deploying other malware, making remediation difficult.

IOCs — Directly from Articles

No specific file hashes, domains, or IP addresses were provided in the source articles for use as IOCs.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
process_name
Value
w3wp.exe
Description
The IIS worker process that runs SharePoint. Monitor for this process spawning command shells (cmd.exe, powershell.exe) or making unusual network connections.
Context
EDR, Host-based logs
Type
file_path
Value
C:\inetpub\wwwroot\wss\VirtualDirectories\
Description
Default path for SharePoint web applications. Monitor for newly created or modified .aspx, .ashx, or .asmx files, which could be web shells.
Context
File Integrity Monitoring (FIM)
Type
event_id
Value
4688
Description
Windows Security Event ID for process creation. Enable command-line logging and audit for suspicious commands executed by the SharePoint application pool identity.
Context
Windows Event Logs, SIEM
Type
log_source
Value
SharePoint ULS Logs
Description
SharePoint's Unified Logging Service logs may contain errors or anomalies related to deserialization failures during an exploitation attempt.
Context
Application server log analysis

Detection & Response

  1. Hunt for Web Shells: Proactively scan SharePoint server web directories for suspicious .aspx or other web-executable files. Use D3-FA: File Analysis to check for common web shell signatures and characteristics.
  2. Process Monitoring: Implement EDR rules to detect when the w3wp.exe process initiates suspicious child processes like powershell.exe, cmd.exe, whoami.exe, or net.exe. This is a strong indicator of RCE.
  3. Enable AMSI: As recommended by CISA, ensure the Antimalware Scan Interface (AMSI) integration for SharePoint is enabled. This allows endpoint security products to inspect scripts and commands executed by SharePoint for malicious content.
  4. Review Site Owner Permissions: Audit all users and groups with "Site Owner" privileges. Scrutinize these accounts for any signs of compromise and reduce the number of accounts with this permission level to the absolute minimum required.

Mitigation

  1. Apply Security Updates: The primary mitigation is to immediately apply the July 2026 security updates for the respective SharePoint Server versions. This is a direct implementation of D3-SU: Software Update.
  2. Harden SharePoint: Follow CISA's guidance on SharePoint hardening. This includes disabling unused services, applying the principle of least privilege for service accounts, and restricting administrative access.
  3. Network Segmentation: Isolate SharePoint servers from the general user network. Restrict outbound internet access from the servers to prevent easy data exfiltration or C2 communication. This aligns with D3-NI: Network Isolation.
  4. Regular Audits: Implement regular, automated audits of SharePoint permissions and configurations to detect unauthorized changes or privilege escalation.

Timeline of Events

1
July 14, 2026
Microsoft releases its July Patch Tuesday update, including a patch for CVE-2026-58644.
2
July 16, 2026
Microsoft revises its advisory to confirm CVE-2026-58644 was exploited as a zero-day. CISA adds the CVE to its KEV catalog.
3
July 17, 2026
This article was published
4
July 19, 2026
CISA's deadline for U.S. federal agencies to patch the vulnerability.

MITRE ATT&CK Mitigations

Applying the security update from Microsoft is the primary method to remediate the vulnerability.

Mapped D3FEND Techniques:

Using EDR and AMSI to detect and block malicious behaviors, such as a web server process spawning a command shell, can prevent exploitation.

Hardening file permissions on web directories can make it more difficult for attackers to write and execute web shells.

Mapped D3FEND Techniques:

Auditing and limiting the number of accounts with 'Site Owner' privileges reduces the attack surface.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The most effective and urgent countermeasure against CVE-2026-58644 is to apply the July 2026 security update from Microsoft. Since this was exploited as a zero-day and is now in CISA's KEV catalog, patching cannot be deferred. Organizations must activate their emergency patching protocols for all on-premises SharePoint Server instances (Subscription Edition, 2019, and 2016). Prioritize internet-facing servers first, then internal production servers. Use vulnerability management tools to confirm the patch status of all assets post-deployment. Given that attackers are actively using this for RCE, the risk of remaining unpatched is severe and far outweighs the risk of a typical patch deployment. This action directly closes the deserialization vulnerability, preventing attackers from gaining code execution through this vector.

As a critical detection and response measure, security teams must implement D3-PA (Process Analysis) focused on the SharePoint server's IIS worker process, w3wp.exe. Configure EDR solutions and SIEM rules to generate high-severity alerts when w3wp.exe spawns anomalous child processes, particularly command-line interpreters like cmd.exe and powershell.exe, or reconnaissance tools like whoami.exe and net.exe. This is a classic indicator of web application compromise and RCE. Establish a baseline of normal process behavior for your SharePoint environment, as some legitimate administrative tasks might spawn processes. However, any interactive shells or unexpected outbound network connections from w3wp.exe should be treated as a likely compromise. This technique is vital for detecting active exploitation on servers before patches can be applied, or for identifying a compromise that may have occurred prior to patching.

Timeline of Events

1
July 14, 2026

Microsoft releases its July Patch Tuesday update, including a patch for CVE-2026-58644.

2
July 16, 2026

Microsoft revises its advisory to confirm CVE-2026-58644 was exploited as a zero-day. CISA adds the CVE to its KEV catalog.

3
July 19, 2026

CISA's deadline for U.S. federal agencies to patch the vulnerability.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

CVE-2026-58644SharePointMicrosoftCISAKEVZero-DayRCEVulnerability

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.