The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog. This designation confirms active exploitation in the wild and mandates immediate remediation for Federal Civilian Executive Branch (FCEB) agencies, with a deadline of July 19, 2026.
For organizations relying on SharePoint for collaboration and document management, this is not a theoretical risk. CVE-2026-58644 is a remote code execution (RCE) flaw with a CVSS score of 9.8, capable of allowing an unauthenticated attacker to take complete control of a vulnerable server.
Technical Analysis
- CVE Identifier: CVE-2026-58644
- CVSS Score: 9.8 (Critical)
- Affected Products: Microsoft SharePoint Server
- Vulnerability Type: Insecure Deserialization
The Mechanics of the Flaw
This vulnerability stems from an insecure deserialization issue within SharePoint. In the context of .NET applications (which SharePoint is built upon), deserialization is the process of converting a stream of bytes (often XML or JSON) back into an object.
Attackers can craft a malicious serialized object and send it to a vulnerable SharePoint endpoint. When the server attempts to deserialize this input, it triggers the execution of arbitrary code within the context of the SharePoint Application Pool identity. This identity typically has high privileges, including read/write access to the configuration and content databases, and potentially administrative rights on the underlying Windows Server.
Exploitation Status
CISA's addition to the KEV catalog indicates that exploitation has been detected in the wild. Given the ubiquity of SharePoint in enterprise environments and the high value of the data stored within it, this flaw is a prime target for ransomware operators and initial access brokers.
Detection & Response
Detecting deserialization attacks can be challenging because the exploit request often looks like legitimate traffic until the code executes. However, the post-exploitation behavior is distinct. If an attacker successfully achieves RCE via CVE-2026-58644, the web server process (w3wp.exe) will spawn a shell or command-line utility.
Below are detection mechanisms tailored to catch the "smoking gun" of this exploit: a web process spawning a child process it has no business spawning.
---
title: SharePoint RCE - Suspicious Child Process of W3WP
id: c2026586-5864-4e9c-a234-58644detect01
status: experimental
description: Detects potential RCE exploitation of CVE-2026-58644 by identifying command-line interpreters spawned by the IIS worker process.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/10
tags:
- attack.initial_access
- attack.execution
- attack.t1190
- cve.2026.58644
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
NewProcessName|contains:
- 'cmd.exe'
- 'powershell.exe'
- 'pwsh.exe'
condition: selection
falsepositives:
- Administrative troubleshooting via SharePoint backend
level: critical
---
title: SharePoint Deserialization Exception - Application Log
id: c2026586-5864-4e9c-a234-58644detect02
status: experimental
description: Detects potential probing for deserialization flaws in SharePoint via .NET serialization exceptions.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/10
tags:
- attack.initial_access
- cve.2026.58644
logsource:
product: windows
service: application
detection:
selection:
ProviderName: 'ASP.NET 4.0.30319.0'
EventID: 1309
Data|contains:
- 'Serialization'
- 'Deserialize'
condition: selection
falsepositives:
- Application instability not related to attack
level: medium
**KQL (Microsoft Sentinel / Defender)**
Use this query to hunt for suspicious process lineage originating from the SharePoint web tier.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
**Velociraptor VQL**
This VQL artifact hunts for processes where the parent is w3wp.exe but the child is a standard shell.
-- Hunt for suspicious child processes of w3wp.exe
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE ParentName =~ "w3wp.exe"
AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe")
**Remediation Script (PowerShell)**
This script checks the file version of the core SharePoint library. Note: You must verify the specific "Safe" version against the official Microsoft Security Update bulletin for July 2026. This script helps you identify which servers need patching.
# Script to Check SharePoint Core DLL Version for CVE-2026-58644
# Note: Compare the output version against the Microsoft Security Response Center bulletin.
$sharePointPath = "${env:CommonProgramFiles}\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.dll"
if (Test-Path $sharePointPath) {
$fileInfo = Get-Item $sharePointPath
Write-Host "Checking SharePoint DLL Version..." -ForegroundColor Cyan
Write-Host "File Path: " -NoNewline; Write-Host $sharePointPath -ForegroundColor Yellow
Write-Host "Current Version: " -NoNewline; Write-Host $fileInfo.VersionInfo.FileVersion -ForegroundColor Yellow
# Placeholder for logic: If version < patched_version, flag as vulnerable
Write-Host "Please verify this version against the July 2026 Security Update for CVE-2026-58644." -ForegroundColor Red
} else {
Write-Host "SharePoint DLL not found at standard path. Is SharePoint installed?" -ForegroundColor Red
}
Remediation
1. Patch Immediately Microsoft has released security updates to address this vulnerability. Apply the latest cumulative updates immediately.
- Action: Install the July 2026 Security Update for Microsoft SharePoint Server.
- Vendor Advisory: Microsoft Security Response Center (search for CVE-2026-58644).
2. CISA KEV Deadline FCEB agencies must apply patches by July 19, 2026. Private sector organizations should treat this date as a deadline for their own remediation to avoid falling victim to widespread scanning and exploitation.
3. Workarounds If immediate patching is not feasible, consider restricting access to SharePoint servers from the internet using a firewall or VPN. However, given the prevalence of phishing and internal lateral movement, patching remains the only reliable mitigation.
4. Post-Patch Verification After patching, re-run the detection queries above to ensure no malicious persistence mechanisms were established before the patch was applied.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.