CISA Adds SharePoint RCE Zero-Day CVE-2026-58644 to KEV Catalog With July 19 Patch Deadline
A CVSS 9.8 SharePoint zero-day joins CISA's KEV catalog with a two-day patch deadline — defender teams accelerate verification this week.
A critical SharePoint deserialization flaw moves from patched-this-week to KEV-cataloged in days, compressing the federal remediation window to July 19 and putting on-premises SharePoint patch state at the center of the defender agenda.
WASHINGTON — CISA added CVE-2026-58644, a critical remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 16, 2026, requiring Federal Civilian Executive Branch agencies to apply the available fixes by July 19, 2026, according to reporting by The Hacker News and SecurityWeek. Carrying a CVSS score of 9.8 and classified as a deserialization of untrusted data issue, the flaw was patched only two days earlier in Microsoft's July 14 Patch Tuesday release, and its inclusion in the catalog reflects CISA's determination that it is being exploited in the wild — the sole criterion that qualifies any vulnerability for the KEV list.
For defenders, the significance lies in the timeline as much as the severity: a maximum-tier SharePoint flaw moved from patched to formally cataloged as exploited within days, and CISA's three-day deadline under Binding Operational Directive 26-04 leaves federal teams a narrow window to confirm the fix is in place. The reporting, published by The Hacker News and SecurityWeek, frames the addition as the latest escalation in a run of SharePoint Server exposures that The CyberSignal has been tracking, and it lands alongside a batch of related on-premises SharePoint flaws CISA has urged organizations to harden against.
What CISA Disclosed
According to reporting by The Hacker News, CISA added CVE-2026-58644 to the Known Exploited Vulnerabilities catalog on July 16, 2026, requiring Federal Civilian Executive Branch agencies to remediate it by July 19. The vulnerability affects Microsoft SharePoint Server, carries a CVSS score of 9.8, and is classified as a deserialization of untrusted data issue. CISA does not add flaws to the catalog on the strength of a severity score alone; inclusion is a statement that active exploitation has been observed, which is what separates a KEV entry from the far larger pool of high-severity vulnerabilities that are not known to be under attack.
Microsoft addressed CVE-2026-58644 in its July 14, 2026 Patch Tuesday release, and subsequently revised its advisory to note that the flaw had been exploited in the wild — meaning it was weaponized as a zero-day before the fix was available. According to reporting, Microsoft's advisory states that a remote, authenticated attacker holding at least Site Owner privileges could reportedly execute arbitrary code on an affected server. The Hacker News reports the vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 — the full set of supported on-premises editions.
The CyberSignal is preserving the confirmable core of the reporting. What is established across sources is that CVE-2026-58644 exists, is rated CVSS 9.8, is a deserialization flaw in Microsoft SharePoint Server, was patched on July 14, was added to the KEV catalog on July 16 with a July 19 federal deadline, and is being exploited in the wild. Details such as the identity of any threat actor behind the exploitation, the number of federal or private systems affected, and whether this flaw is one of the specific issues flagged in earlier SharePoint hardening guidance are treated below as open questions rather than asserted facts.
Continuation Context: The SharePoint Server Thread
CVE-2026-58644 does not arrive in isolation. It extends a sequence of SharePoint Server exposures The CyberSignal has documented, beginning with a critical JWT authentication-bypass weakness tracked as CVE-2026-55040, and continuing through CISA's warning about multiple actively exploited on-premises SharePoint flaws earlier in the same week. Read together, these entries describe a platform whose on-premises deployments have become a recurring focus of exploitation reporting rather than a one-off disclosure.
The pattern also echoes an earlier deserialization issue in the same product line — a SharePoint Server deserialization RCE tracked as CVE-2026-45659 that The CyberSignal covered previously. Whether CVE-2026-58644 is directly related to any of those prior flaws, or is one of the specific vulnerabilities named in CISA's recent SharePoint hardening advisory, is not something the current reporting lets us confirm, and it is left open below. What the recurrence establishes is that on-premises SharePoint is drawing sustained attacker attention, and that a security team's inventory of SharePoint instances is now a live patch-management concern rather than a background one.
For defenders, the continuity is the actionable takeaway. An organization that has already been working through the earlier SharePoint advisories has the right instinct; CVE-2026-58644 raises the stakes on finishing that work and confirming it reached every on-premises instance. A team encountering the SharePoint thread for the first time this week should treat the accumulation of entries — not any single one — as the signal that its SharePoint estate warrants a dedicated verification pass.
The July 19 Patch Deadline and Defender-Team Implications
The July 19 deadline flows from Binding Operational Directive 26-04, CISA's risk-based directive that compresses remediation of exploited vulnerabilities to a three-day clock for the most urgent cases. Formally, that obligation binds only Federal Civilian Executive Branch agencies, which must remediate CVE-2026-58644 by July 19 or document a justified exception. But the two-day window is a useful benchmark for every defender, because it reflects CISA's assessment of how quickly a KEV-listed SharePoint flaw needs to be closed once exploitation is confirmed.
For security teams, the practical work is verification rather than mere availability of a patch. A KEV listing is, in effect, an instruction to treat the flaw as though attackers are already probing for it — because CISA's evidence says they are. That reframing turns patching from a scheduled maintenance activity into a control that is either present or absent on each system, with no partial credit for progress. Confirming that Microsoft's July 14 update has been applied, and applied everywhere the affected SharePoint editions run, is the concrete task the deadline demands.
Verification is where large environments most often fall short. A patch can be approved, staged, and even reported as deployed while a meaningful fraction of instances remain unpatched — forgotten servers, systems outside automated management, or on-premises SharePoint farms that sit off the normal update cadence. For an internet-reachable application server like SharePoint, an overlooked instance is precisely the kind of exposure a KEV listing is meant to force into the open, and the July 19 date is the prompt to enumerate every affected server and confirm the fixed build is running on each.
The Deserialization Framing in Context
CVE-2026-58644 is classified as a deserialization of untrusted data vulnerability — the same broad class as an earlier SharePoint Server flaw The CyberSignal has tracked, and a category that has repeatedly surfaced in critical RCE disclosures against enterprise application servers. The CyberSignal is not describing how the flaw is exploited; the operative point for defenders is that a deserialization weakness rated CVSS 9.8 in a widely deployed on-premises product is exactly the profile that tends to attract rapid, repeatable exploitation once details circulate.
That framing matters because it situates CVE-2026-58644 within a documented shift in attacker behavior. The 2026 Verizon Data Breach Investigations Report found that vulnerability exploitation had overtaken credential theft as the leading way attackers gain initial access — a trend that puts unpatched, internet-facing servers like on-premises SharePoint at the center of the risk picture. A critical deserialization flaw in that category, confirmed as exploited and cataloged by CISA within days of patching, is a textbook instance of the dynamic the report describes.
None of that requires knowing the mechanics of the flaw. The classification, the score, and the exploited-in-the-wild status are together enough to establish where CVE-2026-58644 sits: a high-value target class, a maximum-tier rating, and confirmed active use. For a defender, that combination is the argument for treating the July 19 deadline as a floor rather than a ceiling on urgency.
Open Questions
Several specifics remain unconfirmed at the level of certainty The CyberSignal requires before asserting them. No threat actor has been publicly named in connection with the exploitation of CVE-2026-58644, and the reporting does not attribute the activity to a specific group. The total number of federal or private-sector systems affected is likewise not established, as is the scale of exploitation beyond CISA's confirmation that it is occurring in the wild.
It is also not confirmed whether CVE-2026-58644 is one of the specific SharePoint vulnerabilities named in CISA's earlier warning about multiple exploited on-premises SharePoint flaws, or a distinct issue that surfaced alongside them. The reporting places it in the same on-premises SharePoint context but does not resolve that relationship, and The CyberSignal is treating the connection as plausible rather than established. Whether Microsoft has issued a formal advisory beyond the CVE record and its revised bulletin is similarly not something we can confirm here.
The reporting at this stage rests on The Hacker News's and SecurityWeek's accounts, corroborated by the corresponding KEV catalog entry and Microsoft's revised advisory. That posture — specialist outlets anchored to the primary catalog and vendor bulletin — is normal for a fresh KEV disclosure and is not a reason to doubt the core facts. It does mean the finer detail may sharpen as CISA's entry and Microsoft's advisory are read together over the coming days, and The CyberSignal will treat any additional specifics as confirmed only once they hold consistently across those sources.
The CyberSignal Analysis
The facts above are drawn from the reporting, CISA's catalog, and Microsoft's advisory; what follows is The CyberSignal's editorial reading of what defenders should take from this listing. None of the judgments below are new reported facts.
Signal 01 — The Compressed Timeline Is the Story
The instinct on a KEV addition is to focus on the vulnerability's severity. Our reading is that with CVE-2026-58644, the more instructive detail is the speed: patched on July 14, cataloged as exploited on July 16, federal deadline July 19. That five-day arc from fix to firm remediation deadline is CISA signaling that this flaw crossed from theoretical to active almost immediately, and it collapses the comfortable interval in which patching can be treated as routine.
For defenders, the takeaway is to internalize that interval as the new baseline for critical, internet-facing server flaws. A team that waits for its normal monthly patch cycle to absorb a SharePoint update risks being on the wrong side of a window that CISA has just demonstrated can close in days. The two-day federal deadline is not merely a compliance artifact; it is a data point about how fast this class of vulnerability is being weaponized.
Signal 02 — Verification, Not Availability, Is the Control
The recurring failure these SharePoint entries expose is not a shortage of patches but a shortage of confirmation that patches are actually present everywhere they need to be. Our assessment is that the single most valuable action a team can take on CVE-2026-58644 is to treat "patch verified on every affected instance" as the only acceptable end state, and to distrust dashboards that report deployment percentages without accounting for unmanaged, staging, or forgotten SharePoint servers.
On-premises SharePoint is especially prone to this gap. Farms accumulate over years, some sit outside centralized patch management, and internet-reachable instances are exactly the ones an attacker will find first. The defenders who bound this risk are the ones instrumented to answer "is the fix present here?" for every server running the affected editions, not the ones who can only confirm that Microsoft shipped an update.
Signal 03 — The KEV Catalog Is the Triage Signal Non-Federal Teams Should Borrow
The binding federal obligation is the narrow story; the broader one is that CISA has published a live, evidence-based assertion that CVE-2026-58644 is being exploited right now. Our view is that any organization still triaging its patch backlog primarily on severity scores is leaving the catalog's most valuable property unused — its statement of real-world exploitation, which is exactly the discriminator a crowded backlog needs.
The forward-looking watch item is the cadence of SharePoint entries themselves. Multiple on-premises SharePoint flaws reaching the KEV catalog in a short span is a marker that the platform is under sustained pressure, and we would treat that clustering as a prompt to elevate SharePoint from a periodically patched application to one under continuous verification. When a single product keeps appearing in the exploited-in-the-wild column, the disciplined response is to stop treating each entry as a surprise.