What is Microsoft SharePoint Server?
Microsoft SharePoint Server is the on-premises document management, collaboration, and intranet platform used by enterprises and government agencies that haven't migrated fully to SharePoint Online. It stores and serves an organization's internal documents, workflows, and sensitive business content, and is deeply integrated with Active Directory, Exchange, and other on-prem Microsoft infrastructure. Because a compromised SharePoint server typically runs with a service account that has broad reach into the internal network, it is a frequent target for both espionage-motivated intrusions and post-exploitation lateral movement — the same class of product hit by the "ToolShell" SharePoint attacks in mid-2025.
Overview
CVE-2026-58644 is a deserialization of untrusted data vulnerability (CWE-502) in SharePoint Server that allows an unauthenticated, network-based attacker to achieve remote code execution without any user interaction. It shipped as part of Microsoft's July 2026 Patch Tuesday — a record release of 622 CVEs — alongside two other actively exploited SharePoint issues, CVE-2026-56164 and CVE-2026-55040. Microsoft subsequently updated its advisory on July 15, 2026 to confirm exploitation detected in the wild, and CISA added the CVE to the KEV catalog the next day with a compressed 3-day remediation window, reflecting the urgency typically reserved for actively-weaponized RCE in widely-deployed enterprise software.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| SharePoint Enterprise Server 2016 | < 16.0.5556.1005 | 16.0.5556.1005 |
| SharePoint Server 2019 | < 16.0.10417.20153 | 16.0.10417.20153 |
| SharePoint Server Subscription Edition | < 16.0.19725.20384 | 16.0.19725.20384 |
SharePoint Online (Microsoft 365) is not affected — Microsoft manages patching for the cloud service directly.
Technical Details
The vulnerability lies in how SharePoint deserializes objects received from the network without adequately validating their type or contents. An attacker who can reach a vulnerable endpoint can submit a specially crafted serialized payload; when SharePoint deserializes it, attacker-controlled code executes in the context of the SharePoint application pool. The attack requires no authentication and no user interaction (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical), making it a single-request, network-reachable RCE.
Public reporting groups CVE-2026-58644 with CVE-2026-50522 as a closely related pair — both are unauthenticated deserialization bugs with identical CVSS scores discovered during the same SharePoint hardening effort. CVE-2026-50522 was demonstrated live at Pwn2Own Berlin; whether CVE-2026-58644 is the same underlying gadget chain found independently, or a distinct deserialization path uncovered during the same review, is not conclusively established in public sources.
Discovery
No researcher or organization is publicly credited for CVE-2026-58644 specifically in Microsoft's advisory or subsequent reporting. It shipped alongside the July 2026 cumulative updates as part of a broader SharePoint security review that also produced CVE-2026-50522 (demonstrated at Pwn2Own Berlin), CVE-2026-56164, and CVE-2026-55040.
Exploitation Context
Microsoft confirmed exploitation in the wild in its advisory update on July 15, 2026, one day after the patch shipped — consistent with attackers reverse-engineering the patch to build a working exploit within 24 hours. CISA's July 14, 2026 alert urging SharePoint hardening, and its KEV addition the same week, group CVE-2026-58644 with CVE-2026-56164 and CVE-2026-55040 as part of a wave of active attacks against on-premises SharePoint deployments. This follows the pattern set by the 2025 "ToolShell" SharePoint campaign, where unauthenticated deserialization/auth-bypass chains in SharePoint were exploited at scale against internet-facing servers within days of disclosure.
Remediation
- Apply the July 2026 cumulative update for your SharePoint Server edition immediately (see version table above) — no workaround exists for a deserialization flaw of this kind.
- Rotate SharePoint Server machine keys (ASP.NET
machineKey) after patching if exploitation is suspected, since deserialization RCE chains in SharePoint have historically been paired with machine-key theft to forge persistent authentication tokens. - Restrict internet exposure: on-premises SharePoint servers should not be directly reachable from the internet; place them behind a reverse proxy/WAF with strict request validation where full isolation isn't feasible.
- Review IIS and SharePoint ULS logs for anomalous POST requests to SharePoint web services or unexpected w3wp.exe child processes (cmd.exe, powershell.exe) around and after July 14, 2026.
- Assume compromise if unpatched and internet-facing prior to July 15, 2026 — treat the server as compromised, rotate all associated credentials, and inspect for webshells or scheduled tasks dropped via the application pool identity.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-58644 |
| Vendor / Product | Microsoft — SharePoint |
| NVD Published | 2026-07-14 |
| NVD Last Modified | 2026-07-16 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-502 find similar ↗ |
| CISA KEV Added | 2026-07-16 |
| CISA KEV Deadline | 2026-07-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | Patched in Microsoft's July 2026 Patch Tuesday (622 CVEs total in the release) |
| 2026-07-15 | Microsoft advisory updated to reflect exploitation detected in the wild |
| 2026-07-16 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2026-58644 | Vendor Advisory |
| NVD — CVE-2026-58644 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| CISA Urges SharePoint Hardening After New Exploitations | US Government |
| Zero Day Initiative — The July 2026 Security Update Review | Security Research |
| CISA Warns Admins to Patch Actively Exploited SharePoint Flaws | News |