{"id":14371,"date":"2026-07-17T10:03:48","date_gmt":"2026-07-17T10:03:48","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/17\/cisa-warns-of-microsoft-sharepoint-code-execution-vulnerability-exploited-in-attacks\/"},"modified":"2026-07-17T10:03:48","modified_gmt":"2026-07-17T10:03:48","slug":"cisa-warns-of-microsoft-sharepoint-code-execution-vulnerability-exploited-in-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/17\/cisa-warns-of-microsoft-sharepoint-code-execution-vulnerability-exploited-in-attacks\/","title":{"rendered":"CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks"},"content":{"rendered":"<p>    CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">CISA has added a critical Microsoft SharePoint vulnerability, tracked as <a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-update-july-2026\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2026-58644<\/a>, to its Known Exploited Vulnerabilities (KEV) catalog. This addition comes with a warning that attackers are actively exploiting the flaw in real-world attacks.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerability stems from a weakness in deserializing untrusted data, which can allow remote code execution if the application does not handle it properly.<\/p>\n<p class=\"wp-block-paragraph\">According to the advisory, the flaw permits an unauthorized attacker to execute arbitrary code over a network without needing prior authentication.<\/p>\n<p class=\"wp-block-paragraph\">This significantly heightens the risk, especially for <a href=\"https:\/\/cybersecuritynews.com\/1370-sharepoint-servers-vulnerable\/\" target=\"_blank\" rel=\"noreferrer noopener\">SharePoint servers exposed<\/a> to the internet, which are widely used in enterprise environments for document management and collaboration.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerability is classified under CWE-502, which pertains to unsafe deserialization. In such attacks, threat actors send specially crafted serialized objects to a target system.<\/p>\n<p class=\"wp-block-paragraph\">If the application fails to validate or sanitize this data effectively, it can lead to the execution of malicious payloads within the server environment.<\/p>\n<h2 id=\"h-sharepoint-code-execution-vulnerability-exploited\" class=\"wp-block-heading\"><strong>SharePoint Code Execution Vulnerability Exploited<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">In the case of SharePoint, successful exploitation could allow attackers to establish a foothold, deploy web shells, move laterally across networks, or carry out further attacks.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" data-type=\"link\" data-id=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CISA added CVE-2026-58644 to its KEV catalog<\/a> on July 16, 2026, indicating confirmed exploitation in the wild.<\/p>\n<p class=\"wp-block-paragraph\">Although there is currently no public confirmation linking this flaw to any specific ransomware campaigns, deserialization vulnerabilities have historically been favored by both ransomware operators and advanced persistent threat groups for their reliability and significant impact.<\/p>\n<p class=\"wp-block-paragraph\">Federal agencies and organizations are now required to remediate this vulnerability in accordance with Binding Operational Directive (BOD) 26-04, which emphasizes prioritizing security updates based on risk exposure.<\/p>\n<p class=\"wp-block-paragraph\">The directive mandates that agencies assess whether their affected SharePoint instances are internet-facing and apply vendor-recommended mitigations within a specified timeframe.<\/p>\n<p class=\"wp-block-paragraph\">CISA has also urged organizations to adhere to its Forensics Triage Requirements to detect potential compromises.<\/p>\n<p class=\"wp-block-paragraph\">This includes reviewing logs, monitoring unusual SharePoint activity, and identifying indicators such as unexpected processes, suspicious authentication patterns, or unauthorized file uploads.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/sharepoint-server-code-execution-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft has released guidance<\/a> to address this issue, and organizations are strongly advised to apply patches or mitigations immediately.<\/p>\n<p class=\"wp-block-paragraph\">If fixes are unavailable or cannot be implemented, CISA recommends discontinuing use of the vulnerable service until appropriate protections are in place.<\/p>\n<p class=\"wp-block-paragraph\">Security teams should also consider implementing additional defensive measures, such as restricting external access to SharePoint servers, enabling endpoint detection and response solutions, and conducting threat hunting to identify signs of exploitation.<\/p>\n<p class=\"wp-block-paragraph\">Given the widespread use of SharePoint across enterprises and government networks, the active exploitation of CVE-2026-58644 poses a significant threat. Prompt patching, continuous monitoring, and adherence to CISA directives are crucial for reducing the risk of compromise.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt;\u00a0<a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate ANY.RUN With Your SOC\u00a0<\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft-sharepoint-code-execution-vulnerability-exploited\/\">CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft-sharepoint-code-execution-vulnerability-exploited\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA Warns of Microsoft SharePoint Code Execution Vulnerability Exploited in Attacks CISA has added a critical Microsoft SharePoint vulnerability, tracked as CVE-2026-58644, to its Known Exploited Vulnerabilities (KEV) catalog. This addition comes with a warning that attackers are actively exploiting the flaw in real-world attacks. The vulnerability stems from a weakness in deserializing untrusted data, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131],"tags":[130],"class_list":["post-14371","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14371"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14371"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14371\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}