CVE-2026-58644: Microsoft SharePoint Deserialization Of Untrusted Data Vulnerability Actively Exploited (CISA KEV)

TL;DR

A vulnerability in Microsoft SharePoint, identified as CVE-2026-58644, is being exploited by attackers to execute remote code. Microsoft has issued mitigations; details about the scope are still emerging.

Microsoft SharePoint is currently targeted by active attacks exploiting the critical vulnerability CVE-2026-58644, which allows remote attackers to execute arbitrary code through deserialization of untrusted data, according to the Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability was officially disclosed by Microsoft and confirmed to be actively exploited in the wild. It affects certain versions of SharePoint and enables attackers to execute malicious code remotely without user interaction. Microsoft has released security updates and recommends applying mitigations immediately. The vulnerability stems from improper handling of deserialized data, which attackers can manipulate to run malicious scripts or commands on affected servers. Security experts warn that this flaw could lead to widespread compromises if left unpatched, given SharePoint’s widespread enterprise deployment. Microsoft and CISA have issued advisories urging organizations to prioritize patching and implement recommended mitigations to prevent exploitation.
At a glance
breakingWhen: ongoing; active exploitation reported a…
The developmentAttackers are actively exploiting a deserialization vulnerability in Microsoft SharePoint to execute remote code, prompting urgent security advisories and mitigation efforts.

Why CVE-2026-58644 Is a Critical Threat for Enterprises

This vulnerability poses a significant risk to organizations using Microsoft SharePoint, as it enables remote code execution, potentially allowing attackers to take control of affected servers, access sensitive data, or deploy malware. Given SharePoint’s role in enterprise collaboration, the exploitation could lead to data breaches, disruption of operations, and further lateral movement within networks. The active exploitation underscores the urgency for organizations to review their SharePoint deployments, apply patches, and follow security best practices to mitigate potential damage.

Security Patch, 2 Pcs Reflective Security Hook and Loop Patch for Vest Printed Letters Embroidery Patches for Officer Guard Custom Uniforms Vest, Jacket, Carrier, Bag, Hat (Black, 1 Small and 1 Large)

Security Patch, 2 Pcs Reflective Security Hook and Loop Patch for Vest Printed Letters Embroidery Patches for Officer Guard Custom Uniforms Vest, Jacket, Carrier, Bag, Hat (Black, 1 Small and 1 Large)

【Package Content】The package contains two security patches for vest, one small (5.5 x 2.5 inches) and one large…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background and Previous SharePoint Security Incidents

SharePoint has historically been a target for cyberattacks due to its widespread use in organizations for document management and collaboration. Prior vulnerabilities have often involved improper handling of data or authentication flaws, but CVE-2026-58644 marks a particularly severe case due to its active exploitation and potential for remote code execution. Microsoft disclosed the vulnerability in late April 2026, alongside a security update, following reports of attacks targeting unpatched systems. Security researchers have emphasized that deserialization flaws are common attack vectors in enterprise software, and this incident highlights the ongoing need for vigilance and timely patching.

“Microsoft has released security updates to address CVE-2026-58644. Organizations are urged to apply these patches immediately to prevent exploitation.”

— Microsoft Security Response Center

Amazon

SharePoint vulnerability mitigation tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Aspects of the Exploitation and Impact

While active exploitation has been confirmed, the full scope of affected SharePoint versions and the extent of compromise remain unclear. It is not yet confirmed whether specific industries or organizations are targeted exclusively or if the attack methods vary. Details about the malware payloads or post-exploitation activities are still emerging, and Microsoft has not disclosed whether any data breaches have been confirmed as a result of this vulnerability.

Foundations of Cybersecurity, 2nd Edition: A Straightforward Introduction

Foundations of Cybersecurity, 2nd Edition: A Straightforward Introduction

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Organizations and Security Teams

Organizations using SharePoint should prioritize applying the latest security patches from Microsoft immediately. Security agencies and Microsoft are expected to release further guidance on detection, mitigation, and potential indicators of compromise. Monitoring for unusual activity related to deserialization exploits and preparing incident response plans will be critical in the coming weeks. Microsoft and security researchers are also likely to publish technical analyses and tools to assist in identifying exploitation attempts.

Amazon

deserialization attack prevention tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is CVE-2026-58644?

CVE-2026-58644 is a security vulnerability in Microsoft SharePoint that allows remote attackers to execute arbitrary code through deserialization of untrusted data.

Has this vulnerability been exploited in real-world attacks?

Yes, reports confirm that attackers are actively exploiting CVE-2026-58644 in ongoing campaigns, prompting urgent security advisories.

What should organizations do now?

Apply the latest security updates from Microsoft immediately and follow recommended mitigations to reduce the risk of exploitation.

Are all SharePoint versions affected?

It is not yet confirmed which specific versions are vulnerable, but Microsoft has indicated affected versions should be patched promptly.

Will Microsoft release additional updates or guidance?

Microsoft is expected to provide further technical details, detection tools, and guidance as the situation develops.

Source: kev

You May Also Like

Incident Report: CVE-2024-YIKES

A critical supply chain attack involving multiple open-source projects has affected millions of developers, leading to credential theft and malware deployment.

This Week in Security: Microsoft on Microsoft, Register Your Domains, Linux on ARM, and FreeBSD Joins the File Cache Club

A roundup of key security developments this week, including Microsoft’s GitHub bug fix, domain registration issues, OpenSSL flaws, and more.

Unauthorized alert sent to cell phones across Brazil

Hackers reportedly sent false emergency alerts to mobile phones in Brazil, causing system disruptions and raising security concerns.

Xsolis Data Breach Affects 1.4 Million Individuals

Xsolis disclosed a data breach affecting nearly 1.4 million people, with unauthorized access detected in January. The incident raises concerns over healthcare data security.