Back to Intelligence

CVE-2026-58644 & Fortinet Flaws: CISA KEV Detection and Remediation

SA
Security Arsenal Team
July 16, 2026
5 min read

On July 16, 2026, CISA added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The update includes two OS Command Injection vulnerabilities affecting Fortinet FortiSandbox (CVE-2026-25089, CVE-2026-39808) and a critical Remote Code Execution (RCE) flaw in Microsoft SharePoint (CVE-2026-58644).

Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified due dates. However, the active exploitation status in the wild means all organizations—regardless of sector—must treat these as immediate emergencies. Attackers are actively scanning for and exploiting these flaws to gain initial access, establish persistence, and move laterally through sensitive networks.

Technical Analysis

Fortinet FortiSandbox OS Command Injection

  • CVEs: CVE-2026-25089, CVE-2026-39808
  • Affected Product: Fortinet FortiSandbox
  • Vulnerability Class: OS Command Injection
  • Impact: These vulnerabilities allow an authenticated or unauthenticated attacker (depending on specific access requirements of the flaw) to execute arbitrary operating system commands via specially crafted requests.

Defender's Perspective: FortiSandbox appliances are designed to analyze suspicious files in an isolated environment. A successful command injection attack turns this security control into a liability. By executing OS commands, attackers can pivot from the sandbox appliance to the internal network, dump credentials, or alter malware analysis results to evade detection.

Microsoft SharePoint Deserialization

  • CVE: CVE-2026-58644
  • Affected Product: Microsoft SharePoint Server
  • Vulnerability Class: Deserialization of Untrusted Data
  • Impact: This flaw allows an attacker to execute arbitrary code on the server hosting the SharePoint instance via a network request.

Defender's Perspective: Deserialization vulnerabilities are notoriously dangerous because they often bypass standard input sanitization. In the context of SharePoint—which typically hosts sensitive internal documents and collaboration sites—RCE allows an attacker to gain immediate access to high-value data, inject web shells, and move laterally to domain controllers using the service account privileges.

Detection & Response

Given the active exploitation status, security teams must assume compromise and hunt for indicators of attack (IOA) associated with web shell deployment and abnormal process execution.

Sigma Rules

The following Sigma rules detect the post-exploitation behavior: the FortiSandbox service spawning a shell and the SharePoint worker process spawning a command shell (typical RCE behavior).

YAML
---
title: Fortinet FortiSandbox OS Command Injection
id: 8a2b1c33-4d5e-6f78-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects potential OS command injection on Fortinet appliances by identifying the web service spawning a shell.
references:
 - https://www.cisa.gov/news-events/alerts/2026/07/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/17
tags:
 - attack.initial_access
 - attack.execution
 - attack.t1059.004
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains:
     - 'httpsd'
     - 'forti'
   Image|endswith:
     - '/sh'
     - '/bash'
     - '/dash'
 condition: selection
falsepositives:
 - Legitimate administrative debugging by vendor support
level: critical
---
title: SharePoint Deserialization RCE - w3wp Spawning Shell
id: 9c3d2e44-5e6f-7a89-0b1c-2d3e4f5a6b7c
status: experimental
description: Detects potential RCE via SharePoint deserialization (CVE-2026-58644) by identifying w3wp.exe spawning a shell.
references:
 - https://www.cisa.gov/news-events/alerts/2026/07/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/17
tags:
 - attack.initial_access
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   InitiatingProcessFileName|endswith: 'w3wp.exe'
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\pwsh.exe'
 condition: selection
falsepositives:
 - Authorized administrative management via SharePoint
level: high

KQL (Microsoft Sentinel)

Hunt for abnormal child processes of the SharePoint IIS worker process and suspicious command execution on Fortinet appliances (ingested via Syslog/CEF).

KQL — Microsoft Sentinel / Defender
// Hunt for SharePoint RCE (CVE-2026-58644)
DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessVersionInfoCompanyName != "Microsoft Corporation" or 
        FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
;
// Hunt for Fortinet FortiSandbox Command Injection (Syslog/CEF)
Syslog
| where ProcessName contains "sh" and SyslogMessage contains "forti"
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| order by TimeGenerated desc

Velociraptor VQL

Use this artifact to hunt for suspicious parent-child process relationships indicative of these exploits on both Windows and Linux endpoints.

VQL — Velociraptor
-- Hunt for w3wp spawning cmd/powershell (SharePoint) or Fortinet services spawning shells (Linux)
SELECT 
  str(str=str(Pid), sep=" ") as PID,
  Name as ProcessName,
  CommandLine,
  Username,
  Parent.Name as ParentName,
  Parent.CommandLine as ParentCommandLine
FROM pslist()
WHERE 
  (Name =~ "cmd.exe" OR Name =~ "powershell.exe" OR Name =~ "sh" OR Name =~ "bash")
  AND (Parent.Name =~ "w3wp.exe" OR Parent.Name =~ "httpsd" OR Parent.Name contains "forti")

Remediation Script (PowerShell)

This PowerShell script assists administrators in checking the installed version of SharePoint against known vulnerable build ranges. Note: Replace $VulnerableBuildRanges with specific build numbers from the official Microsoft advisory upon release.

PowerShell
# Check SharePoint Version Status for CVE-2026-58644
Write-Host "Checking SharePoint Farm Build Version..."

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

$farm = Get-SPFarm
if ($farm) {
    $buildVersion = $farm.BuildVersion
    Write-Host "Current SharePoint Build Version: $($buildVersion.ToString())"
    
    # Logic to check against specific vulnerable versions from advisory
    # Example placeholder logic:
    # if ($buildVersion -lt "16.0.XXXX.XXXX") { Write-Host "VULNERABLE" -ForegroundColor Red }
    # else { Write-Host "Patched" -ForegroundColor Green }
    
    Write-Host "Please compare the output above with the security advisory for CVE-2026-58644 to confirm patch status."
} else {
    Write-Host "No SharePoint farm found on this server."
}

Remediation

  1. Patch Immediately:

    • Fortinet: Apply the relevant security updates for FortiSandbox to address CVE-2026-25089 and CVE-2026-39808. Verify patch integrity via the FortiGuard support portal.
    • Microsoft: Install the latest cumulative update for SharePoint Server to resolve CVE-2026-58644.
  2. Internet-Facing Exposure:

    • Ensure that FortiSandbox management interfaces and SharePoint servers are not directly exposed to the public internet unless absolutely necessary. Utilize VPNs and Zero Trust Network Access (ZTNA) solutions to restrict administrative access.
  3. Audit and Restrict:

    • Review logs for successful authentication and web requests on these platforms within the last 30 days.
    • Restrict service account privileges for the SharePoint application pool and FortiSandbox services to the minimum required.
  4. CISA Compliance:

    • Federal agencies must complete remediation by the deadlines set in BOD 26-04.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevfortinetsharepointcve-2026-25089cve-2026-58644

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.