[KEV] CVE-2026-58644 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-58644 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-58644 is a deserialization of untrusted data vulnerability in Microsoft SharePoint that allows an unauthenticated, remote attacker to execute arbitrary code over a network.
Technical Detail
The flaw resides in SharePoint's handling of serialized data, where the application fails to properly validate or sanitize untrusted input before deserializing it. An attacker can send a crafted payload over the network without requiring prior authentication, triggering the deserialization process and achieving remote code execution (RCE) on the underlying server. Successful exploitation could result in full compromise of the SharePoint server, including access to hosted data, credentials, and lateral movement opportunities within the network.
Exploitation Status
CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on July 16, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable, real-world use exists and is being actively leveraged against targets. This is not limited to proof-of-concept demonstrations; the vulnerability is being used in live attack chains.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE based on currently available data. Given the nature of the vulnerability and its KEV listing, attribution analysis is likely ongoing.
What To Do
Apply the relevant Microsoft SharePoint security update immediately. Per CISA's Known Exploited Vulnerabilities catalog, federal civilian executive branch agencies are required to remediate this vulnerability by the deadline associated with the July 16, 2026 KEV listing, typically within 14 days of addition unless otherwise specified. All organizations running Microsoft SharePoint should treat this as a critical priority patch regardless of the CVSS score, which does not reflect the confirmed in-the-wild exploitation. Until patching is complete, consider restricting external network access to SharePoint instances, enabling enhanced logging on SharePoint servers to detect anomalous deserialization activity, and monitoring for unexpected process spawning from SharePoint worker processes. Review Microsoft's official security advisory for version-specific patch guidance and any available interim mitigations.