Hackers Are Already Exploiting a Critical Microsoft SharePoint Flaw Patched Just Days Ago

CISA has added a newly patched SharePoint vulnerability to its active-exploitation watchlist, giving US federal agencies just three days to apply the fix.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • CVE-2026-58644, a critical flaw in Microsoft SharePoint, reached a severity score of 9.8 out of 10 and was confirmed as actively exploited after Microsoft's July 2026 Patch Tuesday release.
  • Microsoft's July 2026 update also fixed CVE-2026-56164, a separate SharePoint flaw that was already being exploited before the patch existed.
  • CISA, the US Cybersecurity and Infrastructure Security Agency, added CVE-2026-58644 to its Known Exploited Vulnerabilities catalogue on Thursday, ordering federal agencies to patch within three days.
  • Two Fortinet FortiSandbox flaws, CVE-2026-25089 and CVE-2026-39808, were added to the same catalogue on the same day, both confirmed exploited in the wild since mid-June.

A serious security flaw in Microsoft SharePoint, the web-based document-sharing and collaboration platform used by millions of organisations worldwide, is already being exploited by criminals just days after Microsoft released a fix.

The vulnerability, tracked as CVE-2026-58644, is a "deserialization" bug. Deserialization is the process where software converts stored data back into a usable format; when that process is not handled safely, an attacker can slip in malicious instructions disguised as ordinary data. The result here is remote code execution, meaning a criminal can run their own software on your SharePoint server from anywhere on the internet.

There is one catch: the attacker needs to have at least "Site Owner" level access to the SharePoint environment first. That sounds reassuring, but credentials get stolen through phishing, where criminals send fake emails to trick staff into handing over passwords, and through data breaches all the time.

How bad is this, really?

Bad enough that CISA placed it on its Known Exploited Vulnerabilities catalogue, a public list reserved for flaws confirmed to be actively used in real attacks. Under Binding Operational Directive 26-04, US federal agencies must patch all three newly listed vulnerabilities within three days of the catalogue entry. That deadline applies to government networks, but it is a reasonable benchmark for any organisation running SharePoint.

Microsoft's own advisory initially did not flag CVE-2026-58644 as exploited. The company updated that advisory after exploitation was detected in the wild, raising the severity score to 9.8 out of 10.

The July 2026 Patch Tuesday bundle also fixed two other SharePoint weaknesses worth knowing about. CVE-2026-56164 was already a zero-day, meaning a flaw being exploited before the maker even had a patch ready. CVE-2026-55040 is a critical security-bypass flaw that could let attackers read private files and alter data.

Separately, CISA added two Fortinet FortiSandbox flaws to the catalogue. FortiSandbox is a security appliance that analyses suspicious files; both CVE-2026-25089 and CVE-2026-39808 allow attackers to run arbitrary commands on affected devices, and exploit intelligence firm Defused flagged both as exploited in mid-June.

What organisations running SharePoint should do now:

Apply Microsoft's July 2026 Patch Tuesday updates immediately, prioritising the three SharePoint fixes. Check which users hold Site Owner permissions and remove any that are unnecessary. Review sign-in logs for unexpected access, particularly outside normal working hours or from unfamiliar locations. Remind staff to treat any unexpected email asking for login credentials with suspicion.

© 2026 Threat Vectr