CISA flags a new SharePoint flaw as actively exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Microsoft SharePoint Server vulnerability to its Known Exploited Vulnerabilities catalog, confirming that attackers are already using it in real world intrusions. The flaw, tracked as CVE-2026-58644, is a deserialization of untrusted data bug, a class of weakness that can let an attacker run code of their choosing on a server and, as CISA puts it, gain total control of the asset after exploitation.

What's affected

The vulnerability sits in on premises Microsoft SharePoint Server, the collaboration platform many organizations use to host intranets, document libraries and team sites. SharePoint frequently holds sensitive corporate data and is often exposed to the internet, which makes it a recurring target. This is the second SharePoint deserialization flaw CISA has confirmed under active attack in recent weeks, following a separate SharePoint bug added to the same catalog.

Deserialization, briefly

Deserialization flaws occur when software rebuilds stored or transmitted data back into live objects without properly checking it first. If an attacker can smuggle in a malicious payload, the server can be tricked into executing it, handing over remote code execution. On a system as widely deployed and data rich as SharePoint, that can mean a foothold deep inside a corporate network.

What you should do

CISA has not named the groups behind the exploitation or the scope of the campaign, but a KEV listing means the activity is confirmed rather than theoretical. Under Binding Operational Directive 26-04, federal civilian agencies must prioritize rapid remediation of KEV listed flaws on internet facing systems, and CISA urges every organization to do the same. Administrators should apply Microsoft's SharePoint security updates without delay, restrict internet exposure of SharePoint servers where possible, and check for signs of compromise on any server that was reachable before patching. The same KEV update also flagged two Fortinet FortiSandbox command injection flaws, CVE-2026-25089 and CVE-2026-39808, that IntelFusions previously reported as under active exploitation.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions