CVE-2026-58644 — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

CVE-2026-58644

Microsoft SharePoint Server — Unauthenticated Remote Code Execution via Deserialization of Untrusted Data

What is Microsoft SharePoint Server?

Microsoft SharePoint Server is the on-premises document management, collaboration, and intranet platform used by enterprises and government agencies that haven't migrated fully to SharePoint Online. It stores and serves an organization's internal documents, workflows, and sensitive business content, and is deeply integrated with Active Directory, Exchange, and other on-prem Microsoft infrastructure. Because a compromised SharePoint server typically runs with a service account that has broad reach into the internal network, it is a frequent target for both espionage-motivated intrusions and post-exploitation lateral movement — the same class of product hit by the "ToolShell" SharePoint attacks in mid-2025.

Overview

CVE-2026-58644 is a deserialization of untrusted data vulnerability (CWE-502) in SharePoint Server that allows an unauthenticated, network-based attacker to achieve remote code execution without any user interaction. It shipped as part of Microsoft's July 2026 Patch Tuesday — a record release of 622 CVEs — alongside two other actively exploited SharePoint issues, CVE-2026-56164 and CVE-2026-55040. Microsoft subsequently updated its advisory on July 15, 2026 to confirm exploitation detected in the wild, and CISA added the CVE to the KEV catalog the next day with a compressed 3-day remediation window, reflecting the urgency typically reserved for actively-weaponized RCE in widely-deployed enterprise software.

Affected Versions

Product Vulnerable Fixed
SharePoint Enterprise Server 2016 < 16.0.5556.1005 16.0.5556.1005
SharePoint Server 2019 < 16.0.10417.20153 16.0.10417.20153
SharePoint Server Subscription Edition < 16.0.19725.20384 16.0.19725.20384

SharePoint Online (Microsoft 365) is not affected — Microsoft manages patching for the cloud service directly.

Technical Details

The vulnerability lies in how SharePoint deserializes objects received from the network without adequately validating their type or contents. An attacker who can reach a vulnerable endpoint can submit a specially crafted serialized payload; when SharePoint deserializes it, attacker-controlled code executes in the context of the SharePoint application pool. The attack requires no authentication and no user interaction (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical), making it a single-request, network-reachable RCE.

Public reporting groups CVE-2026-58644 with CVE-2026-50522 as a closely related pair — both are unauthenticated deserialization bugs with identical CVSS scores discovered during the same SharePoint hardening effort. CVE-2026-50522 was demonstrated live at Pwn2Own Berlin; whether CVE-2026-58644 is the same underlying gadget chain found independently, or a distinct deserialization path uncovered during the same review, is not conclusively established in public sources.

Discovery

No researcher or organization is publicly credited for CVE-2026-58644 specifically in Microsoft's advisory or subsequent reporting. It shipped alongside the July 2026 cumulative updates as part of a broader SharePoint security review that also produced CVE-2026-50522 (demonstrated at Pwn2Own Berlin), CVE-2026-56164, and CVE-2026-55040.

Exploitation Context

Microsoft confirmed exploitation in the wild in its advisory update on July 15, 2026, one day after the patch shipped — consistent with attackers reverse-engineering the patch to build a working exploit within 24 hours. CISA's July 14, 2026 alert urging SharePoint hardening, and its KEV addition the same week, group CVE-2026-58644 with CVE-2026-56164 and CVE-2026-55040 as part of a wave of active attacks against on-premises SharePoint deployments. This follows the pattern set by the 2025 "ToolShell" SharePoint campaign, where unauthenticated deserialization/auth-bypass chains in SharePoint were exploited at scale against internet-facing servers within days of disclosure.

Remediation

  1. Apply the July 2026 cumulative update for your SharePoint Server edition immediately (see version table above) — no workaround exists for a deserialization flaw of this kind.
  2. Rotate SharePoint Server machine keys (ASP.NET machineKey) after patching if exploitation is suspected, since deserialization RCE chains in SharePoint have historically been paired with machine-key theft to forge persistent authentication tokens.
  3. Restrict internet exposure: on-premises SharePoint servers should not be directly reachable from the internet; place them behind a reverse proxy/WAF with strict request validation where full isolation isn't feasible.
  4. Review IIS and SharePoint ULS logs for anomalous POST requests to SharePoint web services or unexpected w3wp.exe child processes (cmd.exe, powershell.exe) around and after July 14, 2026.
  5. Assume compromise if unpatched and internet-facing prior to July 15, 2026 — treat the server as compromised, rotate all associated credentials, and inspect for webshells or scheduled tasks dropped via the application pool identity.

Key Details

PropertyValue
CVE ID CVE-2026-58644
Vendor / Product Microsoft — SharePoint
NVD Published2026-07-14
NVD Last Modified2026-07-16
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-502 find similar ↗
CISA KEV Added2026-07-16
CISA KEV Deadline2026-07-19
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-19. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-07-14Patched in Microsoft's July 2026 Patch Tuesday (622 CVEs total in the release)
2026-07-15Microsoft advisory updated to reflect exploitation detected in the wild
2026-07-16Added to CISA Known Exploited Vulnerabilities catalog
2026-07-19CISA BOD 22-01 remediation deadline