Microsoft SharePoint Server Deserialization RCE Exploited as Zero-Day, Now Added to CISA KEV (CVE-2026-58644 / CVE-2026-50522)
Scope: Microsoft SharePoint Server 2016, 2019, and Subscription Edition (All On-Premises Deployments)
Severity: Red
CISA added CVE-2026-58644 to its KEV catalog on July 17, 2026, confirming that the vulnerability was weaponized as a zero-day before Microsoft's July 14 patch became available, with CISA warning of active exploitation across all supported on-premises SharePoint versions involving IIS machine key theft, deserialization-based persistence, and malware deployment. Both CVE-2026-58644 and its sibling CVE-2026-50522 (CVSS 9.8 each) are unauthenticated deserialization of untrusted data flaws in SharePoint's core object handling, requiring no credentials and no user interaction, with CVE-2026-50522 having been demonstrated as a working exploit at Pwn2Own Berlin before patching. SharePoint is deployed as the primary intranet and document management platform across government and enterprise environments in Uganda, making unpatched on-premises farms an immediate critical risk. Organizations must apply the July 14, 2026 SharePoint cumulative update to all on-premises farms immediately, prioritizing internet-facing deployments, and scan IIS logs and SharePoint ULS logs for unauthorized POST requests and anomalous deserialization activity as indicators of prior compromise.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.