CyberSecurity

Fresh SharePoint Vulnerability Exploited Within Days of Disclosure – CISA Adds to KEV Catalog

Published

on

Attackers Waste No Time Exploiting Critical SharePoint Flaw

Threat actors have already started exploiting a freshly patched, critical-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, prompting urgent action from the US cybersecurity agency CISA. The flaw, tracked as CVE-2026-58644, carries a CVSS score of 9.8 and was fixed as part of Microsoft’s July 2026 Patch Tuesday updates.

Microsoft describes the issue as a deserialization of untrusted data vulnerability. In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server.

CISA Adds SharePoint Vulnerability to KEV Catalog

On Thursday, just two days after Microsoft warned about the risk, CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog. This move triggers a mandatory three-day patching deadline for all US federal agencies under Binding Operational Directive (BOD) 26-04.

Microsoft had not initially flagged the flaw as exploited. However, the company later updated its advisory to confirm that exploitation was detected in the wild and revised the CVSS score accordingly.

Other SharePoint Bugs and Fortinet Flaws Also Under Fire

The July 2026 Patch Tuesday release also addressed several other SharePoint defects. Among them was CVE-2026-56164, which Microsoft had previously marked as exploited as a zero-day. Another critical weakness, CVE-2026-55040, is a security bypass that could allow attackers to disclose files and modify data.

Alongside the SharePoint vulnerability, CISA added two OS command injection flaws in Fortinet FortiSandbox to the KEV list: CVE-2026-25089 and CVE-2026-39808. Both were patched in June and April, respectively. These bugs allow attackers to execute arbitrary code or commands on vulnerable appliances. Exploit intelligence company Defused flagged both as exploited in the wild in mid-June.

Federal Agencies on the Clock

Under BOD 26-04, federal agencies are required to patch all three exploited vulnerabilities within three days. The directive aims to reduce the attack surface of government networks by mandating rapid remediation of known exploited flaws.

What This Means for Enterprise Security Teams

The speed of exploitation — within days of disclosure — underscores a troubling trend. Attackers are increasingly scanning for and weaponizing newly patched vulnerabilities before many organizations can apply updates. For security teams, this means the window for patching critical flaws is shrinking.

Enterprises that use SharePoint Online may be less at risk if Microsoft applies patches automatically. However, organizations running on-premises SharePoint Server instances should prioritize testing and deploying the July 2026 security updates immediately.

Broader Context: A Busy Patch Cycle

Microsoft’s July 2026 Patch Tuesday was unusually heavy, addressing a record number of vulnerabilities. The company patched 622 flaws, including two exploited zero-days. The SharePoint RCE bug was one of several critical issues that demanded immediate attention.

Beyond SharePoint and Fortinet, other vendors also pushed critical fixes. Splunk and Zoom patched critical vulnerabilities in their products, while F5 addressed multiple flaws in NGINX and BIG-IP. The pace of disclosures and exploits shows no signs of slowing.

Recommendations for CISOs and IT Admins

  • Patch immediately: Apply the July 2026 SharePoint security update across all on-premises servers. Treat CVE-2026-58644 as an active threat.
  • Check FortiSandbox appliances: Ensure that firmware updates for CVE-2026-25089 and CVE-2026-39808 are installed. These flaws are already being exploited.
  • Monitor CISA’s KEV catalog: Bookmark the list and integrate it into your vulnerability management process. BOD 26-04 may not apply to your organization, but the catalog is a reliable indicator of active threats.
  • Review access controls: The SharePoint flaw requires Site Owner-level authentication. Review who holds such privileges and consider tightening them where possible.

As the gap between disclosure and exploitation narrows, proactive patching is no longer just best practice — it’s survival. The attackers are watching the same Patch Tuesday announcements you are. The difference is they act faster.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version