cognitive cybersecurity intelligence

News and Analysis

Search

CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks

CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks

CISA has added a critical Microsoft SharePoint vulnerability, tracked as CVE-2026-58644, to its Known Exploited Vulnerabilities (KEV) catalog. This addition comes with a warning that attackers are actively exploiting the flaw in real-world attacks.

The vulnerability stems from a weakness in deserializing untrusted data, which can allow remote code execution if the application does not handle it properly.

According to the advisory, the flaw permits an unauthorized attacker to execute arbitrary code over a network without needing prior authentication.

This significantly heightens the risk, especially for SharePoint servers exposed to the internet, which are widely used in enterprise environments for document management and collaboration.

The vulnerability is classified under CWE-502, which pertains to unsafe deserialization. In such attacks, threat actors send specially crafted serialized objects to a target system.

If the application fails to validate or sanitize this data effectively, it can lead to the execution of malicious payloads within the server environment.

SharePoint Code Execution Vulnerability Exploited

In the case of SharePoint, successful exploitation could allow attackers to establish a foothold, deploy web shells, move laterally across networks, or carry out further attacks.

CISA added CVE-2026-58644 to its KEV catalog on July 16, 2026, indicating confirmed exploitation in the wild.

Although there is currently no public confirmation linking this flaw to any specific ransomware campaigns, deserialization vulnerabilities have historically been favored by both ransomware operators and advanced persistent threat groups for their reliability and significant impact.

Federal agencies and organizations are now required to remediate this vulnerability in accordance with Binding Operational Directive (BOD) 26-04, which emphasizes prioritizing security updates based on risk exposure.

The directive mandates that agencies assess whether their affected SharePoint instances are internet-facing and apply vendor-recommended mitigations within a specified timeframe.

CISA has also urged organizations to adhere to its Forensics Triage Requirements to detect potential compromises.

This includes reviewing logs, monitoring unusual SharePoint activity, and identifying indicators such as unexpected processes, suspicious authentication patterns, or unauthorized file uploads.

Microsoft has released guidance to address this issue, and organizations are strongly advised to apply patches or mitigations immediately.

If fixes are unavailable or cannot be implemented, CISA recommends discontinuing use of the vulnerable service until appropriate protections are in place.

Security teams should also consider implementing additional defensive measures, such as restricting external access to SharePoint servers, enabling endpoint detection and response solutions, and conducting threat hunting to identify signs of exploitation.

Given the widespread use of SharePoint across enterprises and government networks, the active exploitation of CVE-2026-58644 poses a significant threat. Prompt patching, continuous monitoring, and adherence to CISA directives are crucial for reducing the risk of compromise.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts