Canadian Cyber Security Journal
SOCIAL:
Filed under: Featured, TechTalk

SharePoint CVE-2026-58644: New Zero-Day Under Active Exploitation Hits CISA KEV With a July 19 Deadline — What Canadian Organizations Must Do Now

What Happened

Microsoft confirmed on July 15, 2026 that CVE-2026-58644, a critical deserialization of untrusted data vulnerability in on-premises SharePoint Server, had been exploited in the wild as a zero-day before patches were available. CISA added the flaw to its Known Exploited Vulnerabilities catalog on July 16, setting a July 19, 2026 deadline for all Federal Civilian Executive Branch agencies to apply fixes.

CVE-2026-58644 carries a CVSS score of 9.8. An unauthenticated attacker with network access to a SharePoint Server instance can send a crafted HTTP request to trigger deserialization of malicious data, achieve remote code execution, and establish persistence. Post-exploitation activity observed in the wild includes theft of Internet Information Services machine keys, enabling attackers to forge authentication tokens and move laterally across SharePoint farms. Affected versions include SharePoint Server Subscription Edition, 2019, and 2016. Patches were included in the Microsoft July 2026 Patch Tuesday update released on July 14.

CISA has also urged SharePoint administrators to review and harden SharePoint configurations beyond patching, citing active exploitation of multiple SharePoint vulnerabilities — including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — across the broader July 2026 advisory window. Source: SecurityWeek / CISA

Why This Matters for Canadian Organizations

SharePoint Server is deployed extensively across the Canadian public sector — federal departments, provincial ministries, municipalities, universities, and hospitals — as an internal intranet, document management, and workflow platform. Organizations running on-premises SharePoint (as opposed to SharePoint Online) are directly exposed to CVE-2026-58644. Unlike cloud-hosted tenants, on-premises installations do not receive automatic updates and require deliberate patching actions by IT teams.

A successful exploitation gives an attacker unauthenticated remote code execution followed by credential theft via IIS machine key access. In environments where SharePoint connects to Active Directory, corporate databases, or sensitive HR and financial systems — common in Canadian government and enterprise deployments — the downstream blast radius is significant. Under PIPEDA and OSFI B-13, organizations suffering a breach through an unpatched known vulnerability face both notification obligations and regulatory scrutiny over their patch management practices. The SonicWall CISA deadline from July 15 has now passed; SharePoint administrators have until July 19 — two days — to complete patching.

What to Do

Apply the July 2026 Patch Tuesday security update to all on-premises SharePoint Server instances immediately — Subscription Edition, 2019, and 2016 are all affected. Confirm patch status before end of business July 17 if your organization falls under federal compliance obligations. Review IIS logs for evidence of deserialization exploitation patterns, and audit whether IIS machine keys have been exposed or used to forge tokens. If you have not already done so, review the CISA SharePoint hardening advisory for configuration guidance beyond patching. Organizations with SharePoint federated to Active Directory or connected to sensitive internal systems should treat this as a high-severity incident response exercise until patching is confirmed complete.

Enjoy this article? Don’t forget to share.