Threat actors have begun exploiting a fresh critical-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, the US cybersecurity agency CISA warns.
Tracked as CVE-2026-58644 (CVSS score of 9.8) and fixed as part of Microsoft’s July 2026 Patch Tuesday updates, the flaw is described as a deserialization of untrusted data issue.
“In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft explains.
Microsoft’s security updates resolved several other SharePoint defects, including CVE-2026-56164, which was flagged as exploited in the wild as a zero-day, and CVE-2026-55040, a critical security bypass weakness that could allow attackers to disclose files and modify data.
Although CVE-2026-58644 was not initially marked as exploited, Microsoft has since updated its advisory to note that exploitation was detected and to update the vulnerability’s CVSS score.
On Thursday, two days after warning of the risk posed by these SharePoint security defects, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, as mandated by BOD 26-04.
The cybersecurity agency also added to the KEV list CVE-2026-25089 and CVE-2026-39808, two OS command injection flaws in Fortinet FortiSandbox that were patched in June and April.
Both security defects allow attackers to execute arbitrary code or commands on vulnerable appliances. In mid-June, exploit intelligence company Defused flagged both as exploited in the wild.
In line with BOD 26-04 recommendations, federal agencies are required to patch the three exploited bugs within three days.
Related: Legacy Systems, Real-World Impacts: The Reality of OT Security
Related: Splunk, Zoom Patch Critical Vulnerabilities
Related: F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
Related: Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day
