Back to Articles
critical

CRITICAL: Microsoft SharePoint Server Zero-Day CVE-2026-58644 Under Active Attack, CISA Sets Three-Day Clock

Microsoft confirmed CVE-2026-58644, a critical CVSS 9.8 deserialization flaw in on-premises SharePoint Server, was exploited as a zero-day before patches shipped. CISA added it to the KEV catalog with a July 19, 2026 federal deadline. It affects SharePoint Subscription Edition, 2019, and 2016, and attackers are stealing IIS machine keys for persistence.

By Danny Mercer, CISSP — Lead Security Analyst Jul 17, 2026
Is your business exposed? Our McKinney-based security team can assess your risk for free.
Share:

If you run SharePoint on your own hardware, this is the part of the month where you cancel your afternoon and start patching. Microsoft has confirmed that CVE-2026-58644, a critical remote code execution flaw in on-premises SharePoint Server, was exploited in the wild as a zero-day before any fix existed. CISA agreed with that assessment quickly enough that the bug landed in the Known Exploited Vulnerabilities catalog within days, and federal civilian agencies were handed a July 19, 2026 deadline to remediate. When the government gives you three days to fix something, it is not being dramatic. It is telling you that attackers are already inside somebody's network using this.

The vulnerability carries a CVSS score of 9.8, which puts it squarely in drop everything and patch this now territory. At its core it is a deserialization of untrusted data problem, the same class of weakness that has haunted SharePoint for years and turned it into one of the most reliably exploitable pieces of enterprise software on the planet. Microsoft describes the flaw as allowing an attacker authenticated as at least a Site Owner to write arbitrary code and execute it remotely on the SharePoint Server. That authentication requirement sounds reassuring for about half a second, until you remember how many organizations hand out Site Owner permissions like business cards and how easily those credentials get phished, sprayed, or purchased on a darkweb forum.

What makes this one genuinely dangerous is the combination of low attack complexity and internet reachability. Microsoft rates the complexity as low because an attacker does not need deep knowledge of the target environment and can achieve repeatable success. Plenty of on-premises SharePoint farms sit exposed to the public internet by design, because that is how remote employees and external collaborators reach them. That exposure, paired with a deserialization bug that hands over code execution, is exactly the recipe that produced the mass SharePoint compromises the industry has watched play out repeatedly over the past couple of years.

The affected products list covers every supported on-premises version. Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 are all vulnerable. Notice what is not on that list. SharePoint Online, the cloud-hosted version living inside Microsoft 365, is not affected here, which is one more data point in the long-running argument that moving off self-hosted collateral reduces your exposure to exactly this kind of fire drill. If you are still running SharePoint 2016, keep in mind that its extended support window is closing fast, and you are now patching software that is rapidly approaching the point where Microsoft stops caring about it entirely.

Understanding how exploitation looks in the wild is where this story gets uncomfortable. The attackers are not stopping at simple code execution. Post-exploitation activity documented alongside this campaign includes stealing Internet Information Services machine keys, which is the detail that should keep defenders awake. Those machine keys are the cryptographic material SharePoint uses to sign and validate ViewState and other serialized payloads. Once an attacker has your IIS machine keys, they can forge valid deserialization payloads at will, which means they can walk back in through the front door even after you patch the original vulnerability. Rotating those keys becomes mandatory, not optional, because a patched server with stolen keys is still a compromised server. Beyond key theft, the observed activity includes establishing persistence through deserialization techniques and deploying additional malware to maintain a foothold.

That persistence angle is the whole reason CISA is treating this with more urgency than a typical critical patch. This is not a case where installing the update makes the problem disappear. If your SharePoint server was internet-facing and unpatched during the zero-day window, you have to operate under the assumption that it may already be compromised. The patch closes the door, but it does nothing about an intruder who already made copies of your keys and set up shop before you arrived.

So what do you actually do. First and most obviously, apply the July 14, 2026 Patch Tuesday updates from Microsoft that address CVE-2026-58644. That is the non-negotiable starting point, and if you manage a farm exposed to the internet, it should have happened yesterday. After patching, rotate your IIS machine keys, because leaving the old keys in place after a known exploitation event is like changing your locks but leaving a copy of the old key under the mat. CISA specifically recommends enabling Antimalware Scan Interface integration so that SharePoint hands serialized payloads to your endpoint protection for inspection, which has proven effective at catching the malicious ViewState payloads this class of attack relies on.

From there the hardening guidance is about shrinking the attack surface and improving your odds of catching an intrusion. Blocking external access to SharePoint Central Administration keeps the most sensitive management interface off the public internet, and restricting farm and database communications to only the systems that genuinely need them limits how far an attacker can move if they do get in. CISA also urges organizations to avoid direct internet exposure of SharePoint servers wherever possible, to establish tailored logging so that suspicious activity actually shows up somewhere reviewable, and to go hunting for intrusion artifacts rather than waiting for an alert to fire on its own.

On the detection front, the machine key theft gives you something concrete to look for. Watch for anomalous ViewState deserialization errors and for authentication events that do not line up with legitimate user behavior. Unexpected child processes spawning from the SharePoint w3wp.exe worker process are a classic sign of code execution through this vector, so if your SharePoint host suddenly starts launching command shells or PowerShell, that is your smoke alarm. Outbound connections from the SharePoint server to unfamiliar infrastructure, especially shortly after a spike in requests to serialization endpoints, deserve immediate investigation. And because the attackers are after machine keys, any access to the web.config files or the registry locations where those keys live should be scrutinized closely.

For managed service providers, this is one of those events that writes its own sales pitch. Every client still running on-premises SharePoint is a client who needs to hear from you today, and a rapid response engagement that covers emergency patching, machine key rotation, and a compromise assessment is an easy, justifiable spend when the alternative is explaining a breach to their board. This is also the perfect moment to have the migration conversation you have probably been postponing, because nothing sells a move to SharePoint Online or a managed cloud posture quite like a 9.8 zero-day that only affects the self-hosted version. Bundle in ongoing vulnerability management, darkweb credential monitoring so you know when those Site Owner logins show up for sale, and continuous log monitoring, and you have turned a bad Patch Tuesday into a recurring revenue relationship built on genuine value rather than fear.

The uncomfortable truth underneath all of this is that on-premises SharePoint has become a perennial liability, and the attackers know it. They keep coming back to the same well because deserialization bugs keep surfacing and because so many organizations leave these servers exposed and under-monitored. CVE-2026-58644 is just the latest entry in a long ledger. Patch it, rotate your keys, hunt for the intruder who may already be there, and then have an honest conversation about whether hosting your own SharePoint farm is still worth the recurring emergencies it keeps inviting into your environment.

References

Concerned about this threat?

Our security team can assess your exposure and recommend immediate actions.

Get a Free Assessment →