Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026. The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization
Analysis Summary
# Vulnerability: Critical Deserialization RCE in Microsoft SharePoint Server
## CVE Details
- **CVE ID:** CVE-2026-58644
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Deserialization of Untrusted Data (CWE-502)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
- **Configurations:** Systems exposed to the internet or accessible within the internal network.
## Vulnerability Description
CVE-2026-58644 is a critical deserialization flaw. It occurs when the application processes untrusted data without sufficient validation, allowing an attacker to manipulate the serialized stream to execute arbitrary code. In this specific case, an authenticated attacker (possessing Site Owner permissions) can perform a network-based attack to inject and execute remote code on the SharePoint Server.
## Exploitation
- **Status:** Exploited in the wild (Zero-day). Added to CISA KEV catalog.
- **Complexity:** Low (Repeatable success with no significant prior knowledge required).
- **Attack Vector:** Network (Remotely exploitable over the internet).
## Impact
- **Confidentiality:** High (Full access to data stored on the server).
- **Integrity:** High (Ability to modify data and system files).
- **Availability:** High (Potential for complete system takeover or service disruption).
## Remediation
### Patches
- Released by Microsoft as part of the **July 14, 2026, Patch Tuesday** updates. FCEB agencies must apply these by **July 19, 2026**.
### Workarounds
- **Disable Internet Exposure:** Avoid exposing SharePoint Servers directly to the internet unless strictly necessary.
- **Access Control:** Block external access to SharePoint Central Administration.
- **Restrict Communications:** Limit farm and database communications to required systems only.
## Detection
- **AMSI Integration:** Ensure Antimalware Scan Interface (AMSI) is enabled for each SharePoint web application.
- **Intrusion Artifacts:** Scan for machine key harvesting tools and presence of unauthorized web shells.
- **Logging:** Establish tailored logging to monitor for suspicious deserialization activities or unauthorized IIS machine key access.
- **Key Rotation:** Before rotating IIS machine keys, verify the system is clean to avoid rotating a key that has already been stolen.
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Microsoft Security Advisory:** hxxps[://]msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644
- **SharePoint Hardening Guidance:** hxxps[://]learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/security-hardening