CISA has added CVE-2026-58644, a critical deserialization vulnerability affecting Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw carries a CVSS score of 9.8 and was added to the catalog on July 16, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to apply available fixes by July 19, 2026.

The vulnerability affects all supported on-premises versions of SharePoint Server, including Subscription Edition, 2019, and 2016. It is one of four vulnerabilities CISA says are being actively exploited to gain unauthorized access to on-premises SharePoint instances, alongside CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. CISA added those flaws to the KEV catalog on April 14, July 1, and July 14, 2026, respectively.

According to CISA, threat actors are chaining these bugs to establish remote code execution and then conduct post-exploitation activity, including stealing Internet Information Services (IIS) machine keys and using deserialization techniques to gain persistence and deploy malware. A fifth vulnerability, CVE-2026-55040, has been disclosed by Microsoft as a potential risk but is not yet confirmed as exploited.

Detection and Hardening Guidance

CISA has published specific Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (MDAV) detection signatures tied to this activity, including signatures for suspicious request bodies, ToolPane authentication bypass attempts, and a backdoor associated with IIS-protected secret theft. The agency recommends enabling AMSI integration in Full Mode for request body scanning on all SharePoint web applications.

Organizations that suspect compromise are urged to hunt for machine-key harvesters before rotating IIS machine keys, since unremediated intrusion artifacts could allow attackers to steal newly rotated keys as well. CISA also recommends reviewing telemetry for anomalous requests, suspicious SharePoint worker-process activity, and webshells.

Additional hardening steps include avoiding direct internet exposure of SharePoint Servers unless necessary, placing any internet-facing instance behind a Layer 7 reverse proxy with authentication and request inspection, blocking external access to SharePoint Central Administration, and restricting farm and database communications to required systems only.

CISA is asking organizations to report incidents or anomalous activity through its 24/7 Operations Center.