CVE-2026-58644 — SharePoint Server deserialization RCE moves from 'Exploitation More Likely' to confirmed exploited and CISA KEV-listed
UPDATE · originally covered July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944) (2026-07-15)
the 2026-07-15 entry carried CVE-2026-58644 as a CVSS 9.8 SharePoint deserialization RCE rated only "Exploitation More Likely," with its patch noted as having shipped in the June 2026 cumulative update. CISA has now confirmed it is being exploited in the wild: its SharePoint alert, updated 2026-07-16, states CISA "is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances," and CISA added CVE-2026-58644 to the KEV catalog the same day (CISA, 2026-07-16). The alert describes the cluster's post-exploitation as stealing IIS machine keys — the ASP.NET view-state signing/encryption keys — and using deserialization techniques to gain persistence and deploy malware, so the machine key, not the single CVE, is the durable foothold once any of the four is exploited.
CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances.
CISA has updated this Alert to reflect the addition of CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) Catalog on July 16, 2026.
Defender actions
- Confirm every on-prem SharePoint Server (Subscription Edition, 2019, 2016) carries the June-2026-or-later cumulative update — that build fixes the now-confirmed-exploited CVE-2026-58644; an estate patched only through May is exposed to active exploitation, not merely at risk.
- Before rotating IIS machine keys on any SharePoint that was internet-reachable, hunt for and evict machine-key harvesters first — CISA warns that rotating keys ahead of eviction lets a resident implant re-harvest the new keys.
ATT&CK mapping
3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Persistence TA0003
T1505.003Server Software Component: Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
Credential Access TA0006
T1552.004Unsecured Credentials: Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.