Cybersecurity

SharePoint Zero-Day CVE-2026-58644: Patch Now and Rotate Your Machine Keys

SharePoint CVE-2026-58644 is a CVSS 9.8 remote-code-execution zero-day already exploited in the wild. CISA gave federal agencies until July 19, 2026 to patch on-prem SharePoint Server — and rotating your IIS machine keys matters as much as the patch.

Waqas Ahmed Waseer
Waqas Ahmed Waseer Jul 18, 2026 6 min read
SharePoint Zero-Day CVE-2026-58644: Patch Now and Rotate Your Machine Keys

Microsoft SharePoint Server has a critical remote-code-execution flaw, CVE-2026-58644, that carries a CVSS score of 9.8 and is already being exploited in the wild. Microsoft patched it in the July 14 Patch Tuesday release, then quietly revised the bulletin to admit the bug had been weaponised as a zero-day before any fix existed. CISA added it to its Known Exploited Vulnerabilities catalog on July 17 and gave federal agencies until July 19 to patch. If you run SharePoint on-premises and it touches the internet, treat this as an emergency, and know that installing the patch is only half the job.

What is CVE-2026-58644?

CVE-2026-58644 is a deserialization-of-untrusted-data vulnerability in on-premises SharePoint Server. An attacker who is authenticated with at least Site Owner privileges can write and execute arbitrary code on the server over the network, which is why Microsoft rates it 9.8 with low attack complexity. It is remotely exploitable over the internet, and a Site Owner role is not a high bar on a large intranet where hundreds of staff may own a site.

The flaw affects the supported on-premises builds: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online in Microsoft 365 is not affected, because Microsoft patches its own hosted environment. This is strictly a self-hosted problem, and it lands on the same on-prem servers that have absorbed a punishing run of critical bugs over the past year.

Why this is a "patch now" emergency

Three facts push CVE-2026-58644 to the top of the queue. First, it was exploited as a zero-day: attackers had working code before defenders had a patch, so any exposed server may already be compromised. Second, CISA moved fast, adding it to the KEV catalog on July 17 with a July 19 remediation deadline for federal agencies. A two-day federal window is unusually short and signals that exploitation is real and widening. Third, it is not the only SharePoint flaw under active attack right now.

CISA's advisory flags a cluster of exploited SharePoint bugs, with CVE-2026-58644 sitting alongside CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164. On-premises SharePoint has become a favourite target because it is internet-facing, holds sensitive documents, and often runs behind on patches. This is the same pattern behind other internet-facing RCEs we have covered this year, from the pre-auth flaw in Progress KEMP LoadMaster to a June Patch Tuesday that shipped six separate zero-days.

Patching alone will not save you

Here is the part most coverage skips. For a SharePoint deserialization bug, applying the update closes the door but does not evict anyone already inside. The 2025 "ToolShell" campaign taught defenders a hard lesson: once an attacker reaches code execution on SharePoint, they harvest the server's ASP.NET machine keys, and those keys let them forge signed __VIEWSTATE payloads to walk back in even after the server is fully patched. A patch does not rotate a stolen key.

That is exactly why CISA's hardening guidance goes well beyond "install the update." The agency tells SharePoint operators to enable AMSI integration, rotate IIS machine keys, and hunt for and remove machine-key harvesting tools and other intrusion artifacts before assuming the incident is closed. If your server was exposed to the internet in the days before you patched, you should assume the keys may have been taken and rotate them, then restart IIS so the change takes effect.

Your remediation checklist

Work top to bottom. Do not stop at step one.

PriorityActionWhy it matters
1Apply the July 2026 SharePoint updates on every on-prem serverCloses CVE-2026-58644 and the related exploited CVEs
2Enable AMSI in Full Mode and confirm Defender/AV is onBlocks many web-shell and deserialization payloads at runtime
3Rotate IIS machine keys, then restart IISInvalidates any keys an attacker may have already stolen
4Hunt for web shells, key-harvesting tools, and odd w3wp.exe child processesA patched box can still be a compromised box
5Pull SharePoint off the public internet or put it behind a VPN/ZTNA gatewayRemoves the exposure that makes this remotely exploitable
6Restrict Central Administration access and turn on tailored loggingLimits blast radius and gives you evidence if you are hit

If SharePoint does not need to face the public internet, the cleanest fix is to stop exposing it at all. The same principle applies to any self-hosted service you run; it is the first thing worth locking down when you set up a new server's secure first hour.

The bigger picture

CVE-2026-58644 arrived inside one of Microsoft's largest-ever Patch Tuesdays, and on-premises SharePoint keeps generating critical, actively exploited RCEs quarter after quarter. For many organisations the honest question is no longer "how fast can we patch this one" but "why is this document server still reachable from the open internet at all." Patching is mandatory and urgent here. Reducing the attack surface, so the next SharePoint zero-day is not an internet-facing crisis, is the longer-term win.

Frequently asked questions

Is CVE-2026-58644 being actively exploited? Yes. Microsoft confirmed in-the-wild exploitation and revised its advisory to mark the flaw as a zero-day, and CISA added it to the Known Exploited Vulnerabilities catalog on July 17, 2026 with a federal patch deadline of July 19.

Is SharePoint Online or Microsoft 365 affected? No. The vulnerability affects on-premises SharePoint Server only, specifically Subscription Edition, 2019, and Enterprise Server 2016. Microsoft-hosted SharePoint Online is patched by Microsoft and is not in scope.

Do I really need to rotate machine keys after patching? If your server was internet-exposed before you applied the fix, yes. Attackers who reached code execution can steal ASP.NET machine keys and reuse them to regain access after patching, so CISA advises rotating IIS machine keys and restarting IIS as part of remediation.

Does the attacker need to be authenticated? Yes, at least as a Site Owner. That is a lower bar than it sounds on a large deployment with many site owners, and combined with low attack complexity and network reach it still earns a 9.8 severity rating.

Sources

Some links may earn us a commission at no extra cost to you.

Waqas Ahmed Waseer

Waqas Ahmed Waseer

Waqas Ahmed Waseer is a developer and automation builder with 8+ years shipping production systems used by 100k+ people. He builds custom multi-tenant SaaS, AI automation (n8n, LLM workflows, WhatsApp bots) and hosting infrastructure (WHM/cPanel, CloudLinux) — and is the maker of WaSphere, FlowMaticX, and the WaseerHost hosting brand. 100+ projects delivered for SMBs, agencies and funded startups.

Related

More in Cybersecurity

View all

Discussion · 0

Be kind. Comments are public.

    Newsletter · Monday edition

    The Monday brief.

    One email every Monday morning. The week ahead in AI, startups, hosting and dev tools — no fluff, no sponsored bait.

    Free. Unsubscribe in one click.