The Cybersecurity and Infrastructure Security Agency has confirmed that a critical Microsoft SharePoint vulnerability is being actively abused in the wild, adding it to the Known Exploited Vulnerabilities catalog on July 16, 2026. The flaw, tracked as CVE-2026-58644, gives unauthenticated attackers a path to run arbitrary code on exposed SharePoint servers with no login required.
How the Flaw Works
At the root of the issue is unsafe deserialization, catalogued under CWE-502. SharePoint, like many enterprise platforms, occasionally converts complex objects into a serialized format for storage or transmission and then reconstructs them later. When an application accepts serialized data from an untrusted source without properly validating it, an attacker can craft a malicious object that, once reconstructed, executes commands on the server instead of behaving as harmless data.
Because SharePoint is typically deployed to manage internal documents, workflows, and collaboration across entire organizations, a successful exploit hands an intruder a foothold deep inside the network — not just access to a single file share.
Why This Matters Now
CISA’s KEV listing is not a theoretical warning. It signals that the agency has verified exploitation is already happening against real targets. Once a vulnerability lands on that list, the clock starts for federal civilian agencies, which are bound by Binding Operational Directive 26-04 to assess exposure and apply fixes within a mandated window based on risk.
Private-sector organizations are not legally bound by BOD 26-04, but security teams typically treat a KEV addition as a strong signal to prioritize the same patch, since the directive reflects CISA’s read of active attacker interest rather than a hypothetical risk score.
SharePoint’s footprint compounds the danger. It sits at the center of document management and collaboration for a huge share of enterprise and government networks, and instances left reachable from the open internet are the most attractive targets. A previous scan effort identified over a thousand SharePoint servers publicly exposed, giving some sense of the scale of systems that could be at risk if left unpatched.
What Attackers Can Do With It
Because the vulnerability allows remote code execution before any authentication step, a successful attack chain typically unfolds as follows:
- The attacker sends a crafted serialized payload to a vulnerable SharePoint endpoint.
- The server deserializes the object and unintentionally executes attacker-controlled code.
- The intruder deploys a web shell or other backdoor to maintain access.
- From that foothold, the attacker can pivot laterally across the internal network, harvest credentials, or stage follow-on payloads, including ransomware.
While no specific ransomware group has been publicly tied to this campaign yet, deserialization bugs have a long history of being weaponized by both financially motivated ransomware crews and state-linked espionage operators precisely because they are reliable and require no user interaction.
CISA’s Recommended Response
The agency’s guidance for affected organizations centers on a few core actions. First and most urgent is applying Microsoft’s released patch or mitigation without delay. Where patching is not immediately possible, CISA advises taking the vulnerable SharePoint service offline entirely rather than leaving it exposed.
Beyond patching, CISA is pushing organizations to follow its Forensics Triage Requirements to check whether they have already been compromised. That process involves combing through server logs for anomalies such as unexpected child processes spawned by SharePoint, unusual authentication attempts, or file uploads that do not match normal user activity.
Additional hardening steps recommended by security teams include restricting external network access to SharePoint infrastructure wherever business needs allow, deploying endpoint detection and response tooling on servers hosting SharePoint, and running proactive threat hunts specifically looking for indicators tied to this vulnerability class.
The Bigger Picture
This is far from the first time SharePoint has landed in CISA’s crosshairs, and the pattern is a familiar one: widely deployed collaboration software, a serious unauthenticated flaw, and a narrow window between disclosure and mass exploitation attempts by opportunistic attackers scanning the internet for vulnerable instances.
For defenders, the practical takeaway is straightforward even if the underlying vulnerability class is technical. Internet-facing SharePoint deployments should be treated as high priority for patching the moment a fix becomes available, internal segmentation should limit what an attacker can reach if a server is compromised, and logging needs to be robust enough to catch the early signs of a breach before it turns into a wider incident. Given the confirmed active exploitation, organizations still running unpatched, internet-exposed SharePoint servers should treat this as an immediate operational priority rather than routine patch-cycle maintenance.
Leave a Reply