A high-severity RCE vulnerability in Microsoft SharePoint is being actively exploited by threat actors. With a CVSS score of 9.8, CISA has ordered federal agencies to patch the flaw immediately.

Key Takeaways

  • A critical RCE vulnerability (CVE-2026-58644) has been identified in Microsoft SharePoint.
  • The flaw allows authenticated attackers to execute arbitrary code on servers.
  • The vulnerability carries a maximum CVSS score of 9.8, indicating extreme risk.
  • CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating patches within 3 days.

The cybersecurity landscape has shifted into high alert following reports that threat actors are actively exploiting a newly discovered, critical-severity Remote Code Execution (RCE) vulnerability in Microsoft SharePoint. The flaw, tracked as CVE-2026-58644, carries a staggering CVSS score of 9.8, placing it among the most dangerous security defects currently facing enterprise environments.

Deep Dive into the Exploit Mechanism

The vulnerability stems from an issue involving the deserialization of untrusted data. According to technical disclosures from Microsoft, an attacker who has gained authentication—at minimum at the 'Site Owner' level—can write and inject arbitrary code into the SharePoint Server. Once injected, this code can be executed remotely, granting the attacker unprecedented control over the server, the ability to exfiltrate sensitive corporate data, or the capacity to deploy ransomware.

CISA Intervention and Federal Mandates

While Microsoft initially categorized the flaw as a potential risk, the rapid emergence of active exploitation forced a reclassification. Consequently, the Cybersecurity and Infrastructure Security Agency (CISA) has officially added the CVE to its Known Exploited Vulnerabilities (KEV) catalog. Under the authority of BOD 26-04, CISA has issued a strict mandate requiring all federal agencies to apply the necessary security patches within a 72-hour window to mitigate the risk of widespread compromise.

Broader Security Context

This incident is part of a larger wave of critical patches released during Microsoft's July 2026 Patch Tuesday. The updates also addressed other significant flaws, including CVE-2026-56164, which was flagged as a zero-day exploit, and CVE-2026-55040, a security bypass weakness. Furthermore, the discovery of command injection flaws in Fortinet FortiSandbox highlights a growing trend of targeted attacks against critical infrastructure and enterprise-grade security appliances.