Microsoft has revised its security bulletin for CVE-2026-58644, a critical SharePoint Server flaw, to confirm what researchers suspected: it was exploited in the wild as a zero-day, before any patch existed. CISA added it to its Known Exploited Vulnerabilities catalog on 16 July and is giving US federal agencies until this Sunday, 19 July, to apply the fix. This is a separate, newly disclosed flaw from the three SharePoint CVEs we covered earlier this week — a reminder that on-premises SharePoint has had a genuinely rough July, not just one bad headline.
The bug itself is a deserialization issue, scored 9.8 out of 10 on the severity scale. In plain terms, SharePoint accepts specially crafted data and processes it in a way that lets an attacker slip in their own code instead. The one mitigating detail is that it isn't fully anonymous: Microsoft's advisory says an attacker needs to already be authenticated with at least Site Owner permissions to trigger it. That sounds like a meaningful barrier until you consider how SharePoint sites actually get used — Site Owner access is routinely handed to project leads, external contractors, and departmental admins, often without much thought about who still holds it six months later. Once triggered, the flaw hands the attacker full remote code execution on the server, with the same follow-on risk seen in this month's earlier SharePoint incidents: theft of the server's IIS machine keys, which let an attacker keep access even after the hole itself is patched. It affects only self-hosted SharePoint Server (Subscription Edition, 2019, and 2016) — Microsoft 365's cloud SharePoint Online is not affected. A fix was released on 14 July as part of Microsoft's regular Patch Tuesday, but by then the flaw had already been used against real targets.
What this means for your business
- Confirm which SharePoint you run. Only self-hosted (on-premises) SharePoint Server is at risk here. Microsoft 365 / SharePoint Online customers are not affected by this specific flaw.
- Patch now — the fix has been out since 14 July. If your on-premises server isn't updated yet, treat it as overdue, not routine; this hole was already being used before the patch shipped.
- Audit who actually holds Site Owner access. Because the flaw needs that level of permission to trigger, a tidy permissions list is a real layer of defence here — not a compliance checkbox. Remove access for contractors and staff who no longer need it.
- If you were running unpatched before today, rotate your IIS machine keys once the update is installed. A patch closes the door an attacker used; it doesn't undo a key they may have already copied on the way through.
Two actively-exploited SharePoint vulnerabilities inside the same fortnight isn't a coincidence attackers are ignoring — self-hosted SharePoint has become a preferred target precisely because so many installs sit quietly unpatched behind the firewall. If patching this system has been someone's "next sprint" item for a while, this is the week that stops being an option.