CISA adds a fourth SharePoint bug to KEV in 48 hours
CVE-2026-58644 — an unauthenticated deserialization RCE, CVSS 9.8 — landed on CISA KEV this morning, two days after Microsoft shipped the SharePoint fix.
CISA added a fourth on-prem SharePoint bug to the Known Exploited Vulnerabilities catalog this morning: CVE-2026-58644, an unauthenticated deserialization RCE with a CVSS of 9.8. Microsoft shipped the patch on Tuesday. Two days from patch to KEV means somebody watched the update, unpacked the fix, weaponized what it changed, and reached CISA’s exploitation-confirmation bar in under 48 hours — that is the honest read of that gap.
What’s new versus Tuesday
This is a different CVE from the three CISA named yesterday — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. Same product family, different bug. If you already patched last night on the July 17 clock, you’re covered on this one too, because Microsoft rolled all four fixes into the July 2026 SharePoint updates. If you deferred the July update and are only planning to patch the three CISA named yesterday, stop — you need the whole cumulative update, not a subset.
The bug is CWE-502 (deserialization of untrusted data). Per NVD, any of these three product lines below the listed build are exposed:
- SharePoint Server Subscription Edition — patched at 16.0.19725.20384
- SharePoint Server 2019 — patched at 16.0.10417.20153
- SharePoint Enterprise Server 2016 — patched at 16.0.5556.1005
Unauthenticated, network-reachable, no user interaction, no privilege prerequisite. If a farm is on the public Internet at a lower build than the above, it’s exploitable by anyone who can send an HTTP request.
The honest timeline
- 2026-07-14 — Microsoft ships fixes for CVE-2026-58644 alongside the rest of the July 2026 SharePoint updates. NVD publishes the record.
- 2026-07-15 — CISA names three earlier SharePoint CVEs (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164) and sets a July 17 remediation clock. CVE-2026-58644 is not on that list.
- 2026-07-16 — CISA adds CVE-2026-58644 to KEV as a fourth entry, citing BOD 26-04 and its forensics-triage requirements.
Priority order
- If you haven’t taken the July SharePoint update yet, take it now — one maintenance window closes all four KEV’d CVEs (plus CVE-2026-55040, the Rapid7 JWT bypass from Monday). Splitting these across two touches this week is doing yourself twice the work for no benefit.
- Confirm the running build number against the MSRC advisory rather than trusting a patch-management dashboard that reports “July update applied.” Deserialization bugs are the class where “patched” and “actually at the fixed build” have historically diverged on SharePoint.
- If the farm was Internet-exposed and unpatched at any point since July 14, treat this as possible-compromise, not routine patching. The IIS
machineKeytheft pattern CISA called out on the three earlier CVEs applies to this class of bug too. RotatevalidationKeyanddecryptionKey, review sign-in logs, and search theLAYOUTSdirectory and writable content-DB locations for web shells before you call the incident closed.
Four SharePoint CVEs on KEV in 48 hours is not a coincidence — that’s an on-prem SharePoint fleet being taken apart by whoever diffs Microsoft’s updates fastest. Federal agencies have a clock; everybody else has whatever clock their DFIR retainer defines as “reasonable.” The patch is one maintenance touch. Take it.
- [ CRITICAL ] CVE-2026-58644 Microsoft SharePoint deserialization of untrusted data (unauth RCE)
- [ MEDIUM ] CVE-2026-32201 SharePoint Server spoofing via improper input validation
- [ HIGH ] CVE-2026-45659 Microsoft SharePoint Server deserialization remote code execution
- [ MEDIUM ] CVE-2026-56164 SharePoint Server elevation of privilege — missing authentication for critical function
Found this useful? Share it.


