CISA Flags Actively Exploited SharePoint RCE Zero-Day CVE-2026-58644 — Patch Now
CISA has added CVE-2026-58644, a critical remote code execution zero-day in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. Active exploitation is confirmed in the wild. Federal Civilian Executive Branch agencies are under a mandatory remediation deadline; every operator running on-premises SharePoint should treat this with identical urgency.
What Happened
CISA added CVE-2026-58644 to the KEV catalog on Thursday after confirming that threat actors are actively exploiting the flaw. Microsoft has released a patch, but the zero-day designation means exploitation began before the fix was publicly available — and it is continuing now.
RCE in SharePoint is one of the most dangerous vulnerability classes in enterprise environments. SharePoint servers sit deep inside corporate networks, integrated with Active Directory, document stores, internal APIs, and service accounts that frequently carry broad permissions. A successful exploit gives an attacker arbitrary code execution under the SharePoint application pool identity — historically a reliable stepping stone to full domain compromise.
Why It Matters
SharePoint Server is deployed across tens of thousands of organizations: government agencies, law firms, financial institutions, healthcare systems. On-premises installations are especially at risk because they frequently lag on patching and receive no automatic updates. This vulnerability class has been weaponized at scale before: CVE-2019-0604 and CVE-2023-29357 both went from public disclosure to mass ransomware exploitation within days.
A KEV listing is not a warning that exploitation might happen — it is CISA's formal acknowledgment that it is happening now. The federal remediation deadline reflects their read on exploitation velocity, and that velocity does not stop at the government perimeter. Private sector organizations running unpatched SharePoint are exposed to the same active threat.
What To Do Right Now
1. Inventory every SharePoint Server instance you operate — production, development, staging, and shadow IT deployments. Do this before anything else.
2. Apply Microsoft's patch for CVE-2026-58644 immediately. Pull the relevant KB article from Microsoft's Security Update Guide and confirm your SharePoint build number after installation to verify the patch applied correctly.
3. Hunt for prior exploitation. Review IIS logs and SharePoint ULS logs for anomalous POST requests to /_layouts/, /_vti_bin/, or unexpected web service endpoints. Look for unusual child processes spawned by w3wp.exe, new scheduled tasks, or outbound connections from SharePoint servers to unfamiliar external IPs.
4. If you cannot patch within 24 hours, block external access to SharePoint at the network edge and consider a WAF rule targeting abnormal request patterns on SharePoint paths. Treat these as partial mitigations only — not substitutes for patching.
5. Alert your SOC and scope a threat hunt to the SharePoint server and every system its service accounts can reach.
If your organization runs SharePoint Online (Microsoft 365), Microsoft patches the service on your behalf — verify your tenant is current and move on.
The gap between active zero-day exploitation and a mass ransomware campaign is measured in days. Patch today.
Synthesized by Claude · sanity-checked before publish.