SharePoint Vulnerability Exploited Shortly After Disclosure
Cybercriminals have initiated exploitation of a newly disclosed critical remote code execution flaw in Microsoft SharePoint, according to warnings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability, designated as CVE-2026-58644 with a CVSS score of 9.8, was addressed in Microsoft’s July 2026 Patch Tuesday updates. It stems from a deserialization of untrusted data vulnerability, allowing attackers with Site Owner-level access to inject and execute arbitrary code on affected SharePoint servers. Microsoft’s security updates also resolved additional SharePoint flaws, including CVE-2026-56164, which was previously identified as a zero-day exploited in the wild, and CVE-2026-55040, a critical security bypass flaw enabling unauthorized file access and data modification. While CVE-2026-58644 was initially not flagged as actively exploited, Microsoft later updated its advisory to confirm detection of real-world attacks and revised the CVSS score accordingly. CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, three days after initially highlighting the risks associated with these SharePoint vulnerabilities. The agency mandated that federal agencies address the flaw within three days, aligning with the requirements of BOD 26-04. This directive also applies to two additional vulnerabilities, CVE-2026-25089 and CVE-2026-39808, which are OS command injection flaws in Fortinet FortiSandbox. These were patched in June and April 2026, respectively, and were flagged as exploited by exploit intelligence firm Defused in mid-June. The KEV list now includes three vulnerabilities requiring urgent mitigation. Attackers leveraging these flaws can execute arbitrary code or commands on vulnerable systems, posing significant risks to organizational security postures. Other recent security updates include patches for critical vulnerabilities in Fortinet, Ivanti, and ServiceNow. Meanwhile, ongoing threats such as unpatched Cursor vulnerabilities and advanced persistent threats like Nightmare Eclipse’s LegacyHive zero-day continue to challenge enterprise security teams. CISA has reiterated the importance of immediate remediation for exploited SharePoint vulnerabilities, emphasizing the need for proactive patch management to prevent exploitation. The agency’s actions underscore the evolving threat landscape, where timely response to disclosed flaws remains critical to mitigating potential breaches.
