Back to blog
CVESharePointRCEtechnique

SharePoint CVE-2026-58644: a critical RCE zero-day added to the CISA KEV catalog

Published on 2026-07-176 min readCleanIssue

> In short: CVE-2026-58644 is a critical deserialization-of-untrusted-data flaw (CVSS 9.8) in Microsoft SharePoint Server. An attacker authenticated as at least Site Owner can write and execute arbitrary code remotely over the network. Actively exploited as a zero-day before the July 14 Patch Tuesday fix. CISA added it to its KEV catalog on July 16 with a July 19 deadline for federal agencies.

Why this matters to you

You probably don't sell SharePoint — but a large share of your enterprise clients run their intranet, document management, or onboarding portal on it. Many HR SaaS vendors integrate with Microsoft 365 to pull employee files, contracts, or payslips. A compromised SharePoint Server next to your integration is a direct path to the data your product handles.

And SharePoint Servers are routinely exposed to the internet — often by an IT team that isn't yours, on a patching cadence you don't control.

The flaw in two sentences

CVE-2026-58644 is a deserialization vulnerability. An attacker authenticated as at least Site Owner can, over the network, write arbitrary code and have it executed by the SharePoint Server. Microsoft flags the attack complexity as low: no significant prior knowledge of the system, and repeatable success with the same payload.

Deserialization flaws are a classic RCE pattern: when the server rebuilds an object from attacker-controlled bytes without enough validation, the attacker can steer execution into malicious code. It is the same family of bugs that has plagued Java app servers, Jenkins, and Confluence for years.

A cluster of SharePoint flaws, not a one-off

CVE-2026-58644 is not isolated. CISA's July 14 alert names a whole set of actively exploited SharePoint Server vulnerabilities — CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, CVE-2026-58644 — all enabling RCE or post-exploitation on on-premises instances. The pattern attackers follow is consistent: get RCE, steal the IIS machine key, use it for persistence and to sign further malicious payloads.

The IIS machine key theft is the detail to remember. Once an attacker has it, rotating the key is not enough — you must first hunt for and remove the persistence artifacts, otherwise the new key gets stolen again.

Affected versions

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • All supported on-premises versions, in other words. SharePoint Online (Microsoft 365) is not affected the same way — Microsoft patches it server-side.

    What to do

  • Apply the July 14 Patch Tuesday fixes and verify they actually installed. Shorten your SharePoint patching cycle — this is no longer a quarterly concern.
  • Enable AMSI integration for every SharePoint web application. It is the single most effective detection layer for this class of attack, and Microsoft lists it as a partial mitigation for the related CVE-2026-56164.
  • Stop exposing SharePoint Servers to the internet. Restrict external access to SharePoint Central Administration, and limit farm/database communications to the systems that actually need them.
  • Before rotating IIS machine keys, scan for and remove intrusion artifacts (key-harvesting tools). Rotating first just hands the new key back to the attacker.
  • Set up tailored logging to detect exploitation — you want to know whether the instance was hit before the patch.
  • The broader lesson for SaaS vendors

    This CVE is a reminder that your clients' security posture affects yours. When an HR platform integrates with SharePoint, a breach on the SharePoint side can spill credentials, tokens, or documents straight into your product. Documenting integration security expectations with your enterprise clients — M365 tenant hardening, SharePoint patching, scoped app permissions — is now part of an HR SaaS vendor's job, not just the client's IT team.

    If you operate on-premises infrastructure alongside your SaaS (a SharePoint farm for a legacy module, a document repository), the same urgency applies to you directly.

    Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit