SharePoint CVE-2026-58644: a critical RCE zero-day added to the CISA KEV catalog
> In short: CVE-2026-58644 is a critical deserialization-of-untrusted-data flaw (CVSS 9.8) in Microsoft SharePoint Server. An attacker authenticated as at least Site Owner can write and execute arbitrary code remotely over the network. Actively exploited as a zero-day before the July 14 Patch Tuesday fix. CISA added it to its KEV catalog on July 16 with a July 19 deadline for federal agencies.
Why this matters to you
You probably don't sell SharePoint — but a large share of your enterprise clients run their intranet, document management, or onboarding portal on it. Many HR SaaS vendors integrate with Microsoft 365 to pull employee files, contracts, or payslips. A compromised SharePoint Server next to your integration is a direct path to the data your product handles.
And SharePoint Servers are routinely exposed to the internet — often by an IT team that isn't yours, on a patching cadence you don't control.
The flaw in two sentences
CVE-2026-58644 is a deserialization vulnerability. An attacker authenticated as at least Site Owner can, over the network, write arbitrary code and have it executed by the SharePoint Server. Microsoft flags the attack complexity as low: no significant prior knowledge of the system, and repeatable success with the same payload.
Deserialization flaws are a classic RCE pattern: when the server rebuilds an object from attacker-controlled bytes without enough validation, the attacker can steer execution into malicious code. It is the same family of bugs that has plagued Java app servers, Jenkins, and Confluence for years.
A cluster of SharePoint flaws, not a one-off
CVE-2026-58644 is not isolated. CISA's July 14 alert names a whole set of actively exploited SharePoint Server vulnerabilities — CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, CVE-2026-58644 — all enabling RCE or post-exploitation on on-premises instances. The pattern attackers follow is consistent: get RCE, steal the IIS machine key, use it for persistence and to sign further malicious payloads.
The IIS machine key theft is the detail to remember. Once an attacker has it, rotating the key is not enough — you must first hunt for and remove the persistence artifacts, otherwise the new key gets stolen again.
Affected versions
All supported on-premises versions, in other words. SharePoint Online (Microsoft 365) is not affected the same way — Microsoft patches it server-side.
What to do
The broader lesson for SaaS vendors
This CVE is a reminder that your clients' security posture affects yours. When an HR platform integrates with SharePoint, a breach on the SharePoint side can spill credentials, tokens, or documents straight into your product. Documenting integration security expectations with your enterprise clients — M365 tenant hardening, SharePoint patching, scoped app permissions — is now part of an HR SaaS vendor's job, not just the client's IT team.
If you operate on-premises infrastructure alongside your SaaS (a SharePoint farm for a legacy module, a document repository), the same urgency applies to you directly.
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Adobe ColdFusion CVE-2026-48282: a max-severity RCE exploited within 2 hours of disclosure
A maximum-severity flaw (CVSS 9.8) in Adobe ColdFusion 2025.9, 2023.20 and earlier allows unauthenticated remote code execution. Exploitation started within 2 hours of Adobe's disclosure. ~800 instances exposed online. Fix available.
Microsoft Patch Tuesday July 2026: a record 570 flaws and 3 zero-days
The July 14, 2026 Patch Tuesday fixes 570 vulnerabilities — a record — including 59 Critical and 3 zero-days. Two are actively exploited (AD FS, SharePoint), one is publicly disclosed (BitLocker bypass). What a SaaS team needs to retain.
Zoom CVE-2026-53412: a critical account takeover in the Windows desktop client
An improper input validation flaw (CVSS 9.8) in Zoom Workplace for Windows, the VDI Client, and the Meeting SDK lets an unauthenticated attacker take over accounts via network access. Affects versions before 7.0.0. Fix available.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.