SharePoint CVE-2026-58644: deserialization enables unauthenticated RCE — now in the CISA KEV, patched since Jul 14
On 14 July 2026, as part of July Patch Tuesday, Microsoft closed CVE-2026-58644 (CVSS 3.1: 9.8, Critical; CWE-502, Deserialization of Untrusted Data). The flaw sits in Microsoft SharePoint Server and lets an unauthenticated attacker achieve remote code execution over the network without any user interaction — the classic “wormable” vulnerability profile. Just one day after the patch, on 15 July, Microsoft confirmed active exploitation in the wild; CISA soon added the CVE to its Known Exploited Vulnerabilities catalog. Affected are SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition — each below the patched build numbers. SharePoint Online (Microsoft 365) is not affected. This flaw is also not isolated: the same patch batch produced two more actively exploited zero-days, CVE-2026-56155 (AD FS, privilege escalation) and CVE-2026-56164 (SharePoint, moderate).
TL;DR — 90 seconds
- Affected?
SharePoint Enterprise Server 2016 (x64) before build 16.0.5556.1005; SharePoint Server 2019 (x64) before build 16.0.10417.20153; SharePoint Server Subscription Edition (x64) before build 16.0.19725.20384. SharePoint Online (Microsoft 365) is not listed among the affected products in NVD.
- Risk?
CVSS 3.1: 9.8 (Critical) —
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Deserialization of untrusted data (CWE-502) enables remote code execution without authentication and without user interaction. Microsoft confirmed active exploitation on 15 Jul 2026; CISA added it to the KEV on 16/17 Jul 2026.- Immediate action?
Install the July 2026 security update for your SharePoint version via the official Microsoft Update Catalog or the MSRC advisory for CVE-2026-58644. Then enable AMSI integration per web application and never expose a SharePoint farm directly to the internet.
- Recommendation?
For internet-reachable farms: patch today, not in the next maintenance window. US federal agencies (FCEB) had to remediate by 19 Jul 2026 per the CISA KEV entry — a reasonable yardstick for urgency outside the US as well.
- Criticality?
critical — unauthenticated RCE, actively exploited, in the CISA KEV, the third zero-day from the same patch batch.
What is the problem?
CVE-2026-58644 is a deserialization vulnerability (CWE-502, “Deserialization of Untrusted Data”) in Microsoft SharePoint Server. In this bug class, the application processes serialized object data from an untrusted source without sufficiently validating its origin or structure — an attacker can inject specially crafted serialized data that, once deserialized, executes arbitrary code in the context of the SharePoint application process.
The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H shows the full extent: network-based attack (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and complete loss of confidentiality, integrity, and availability. In practice: an attacker who can reach a vulnerable SharePoint web application over the network needs neither an account nor any user interaction to execute code on the server.
Microsoft initially rated the flaw as “exploitation more likely” when it was first published on 14 July 2026, then updated the assessment the very next day to confirmed active exploitation — a pattern repeatedly seen with SharePoint deserialization bugs since the ToolShell incident (CVE-2025-53770/-53771) the year before.
Who is affected?
| Affected | Not affected | Conditions |
|---|---|---|
| SharePoint Enterprise Server 2016 (x64) before build 16.0.5556.1005 | SharePoint Online (Microsoft 365) — operated centrally by Microsoft, not listed among this CVE's affected products in NVD | Attacker must be able to reach the SharePoint web application over the network |
| SharePoint Server 2019 (x64) before build 16.0.10417.20153 | Farms already updated to the patched build numbers | No authentication and no user interaction required (PR:N, UI:N) |
| SharePoint Server Subscription Edition (x64) before build 16.0.19725.20384 | Pure SharePoint Foundation installs with no network reachability (reduced, not eliminated, risk) | Especially critical with direct internet exposure or missing network segmentation |
Get the exact build comparison via (Get-SPFarm).BuildVersion in the SharePoint Management Shell, or the server overview in Central Administration under “Manage servers in this farm.”
Impact
The impact is maximal in the literal sense: CVSS 9.8 with complete loss of confidentiality, integrity, and availability means a successful attack effectively hands the attacker control over the SharePoint application process — with access to every document, list, and permission structure stored in the farm, plus the ability to move laterally into connected systems (Active Directory integration, file shares, linked services).
Particularly relevant for risk assessment: this flaw is already being actively exploited, not merely theoretically vulnerable. Microsoft's own re-assessment from “likely exploited” to “actively exploited” within a single day shows how quickly the situation can shift for a freshly patched but publicly referenced vulnerability — organizations that deferred the patch based on the initial assessment were sitting on a stale risk decision within 24 hours.
Because SharePoint servers are, in many organizations, run as a central document and collaboration store with deep AD integration, the blast radius of a successful attack is typically far larger than an isolated application compromise.
Mitigation / immediate steps
Operational decision block
- Act now if … your SharePoint farm (2016, 2019, or Subscription Edition) is reachable from the internet or from a large internal network segment and has not yet been updated to the patched build number.
- Check with priority if … your farm is only internally reachable but runs multiple web applications with different authentication configurations.
- Next regular window if … you exclusively use SharePoint Online (Microsoft 365) — this CVE affects on-premises installations only.
Step 1 — check build version and patch
# check the farm's current build version (SharePoint Management Shell)
(Get-SPFarm).BuildVersion
# target values (patched, July 2026):
# SharePoint Enterprise Server 2016: 16.0.5556.1005
# SharePoint Server 2019: 16.0.10417.20153
# SharePoint Server Subscription Edition: 16.0.19725.20384
# get the matching security update for your version and language
# exclusively via the official MSRC advisory for CVE-2026-58644:
# msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644
# (it lists the exact update/KB mapping per farm configuration —
# we deliberately don't quote a KB number here to avoid a wrong match)
Step 2 — enable AMSI integration
Microsoft lists Antimalware Scan Interface (AMSI) integration per web application as an additional mitigation that can detect and block malicious POST requests — independent of patch status. See Microsoft's “SharePoint Server security-hardening guidance”, linked in the sources below, for the exact configuration steps per SharePoint version.
Step 3 — reduce exposure
# rule of thumb, independent of patch status:
# - never expose SharePoint Central Administration to the internet
# - only expose web applications via a reverse proxy/WAF with restricted paths
# - review network segmentation between the SharePoint farm and the rest of the internal networkDetection / verification
Check patch status
# SharePoint Management Shell
(Get-SPFarm).BuildVersion
# alternatively: Central Administration → System Settings →
# “Manage servers in this farm” → compare the build number per server
Review logs for anomalies
At the time of writing, no publicly published indicators of compromise (IOCs) specific to CVE-2026-58644 itself were available from Microsoft or CISA in the sources we reviewed — the steps below are generic best practices derived from prior SharePoint deserialization RCEs (such as ToolShell, CVE-2025-53770/-53771), not confirmed indicators for this specific flaw:
# review IIS/ULS logs for unusual POST requests since 14 Jul 2026,
# especially from unexpected external source IPs
# ULS log directory (default):
# %ProgramFiles%\Common Files\microsoft shared\Web Server Extensions\16\LOGS
# unexpected child processes of the SharePoint IIS worker process (w3wp.exe)
# are a classic post-exploitation indicator for .NET deserialization RCEs
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object { $_.Message -match 'w3wp.exe' }
# check for unexpected new or modified files under the SharePoint web root/LAYOUTS directory
Get-ChildItem "$env:ProgramFiles\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
If anything looks suspicious: CISA and Microsoft generally recommend rotating the farm's IIS/ASP.NET machine keys where exploitation is suspected, since deserialization attacks of this class have historically enabled follow-on attacks built on stolen machine keys in the SharePoint ecosystem — again, this is precedent-based guidance, not a confirmed statement about CVE-2026-58644 itself.
Operator guidance
Mid-market
Patch immediately, not in the next maintenance window — CVSS 9.8, confirmed active exploitation, and CISA KEV listing justify an emergency rollout outside the regular cycle, especially for internet-reachable farms.
Enterprise / multi-site
In addition to patching: enable AMSI integration per web application, reduce the farm's network exposure (no direct internet reachability for Central Administration), and review logs retroactively since 14 Jul 2026 for anomalies. If there are signs of compromise: prioritize machine-key rotation and forensic analysis over patching alone.
Public sector / regulated industries
US federal agencies (FCEB) had to remediate by 19 Jul 2026 per the CISA KEV entry — a three-day window from listing. Even without a direct equivalent reporting obligation elsewhere, this timeframe is a realistic yardstick for urgency at any organization with elevated protection needs.
Decision block
Act today if: SharePoint Server 2016/2019/Subscription Edition is running in production, network-reachable, and unpatched. Monitoring is enough if: you exclusively use SharePoint Online, or the farm is already on the patched build and exposure is minimized.
Frequently asked questions about CVE-2026-58644
Is this the same flaw as the other two zero-days from July Patch Tuesday?+
No. The same patch batch produced three separate, actively exploited zero-days: CVE-2026-56155 (AD FS, CVSS 7.8, privilege escalation to administrator rights), CVE-2026-56164 (SharePoint, CVSS 5.3, moderate, mitigable via AMSI), and CVE-2026-58644 (SharePoint, CVSS 9.8, unauthenticated RCE via deserialization — the most severe of the three and, per our sources, the only one added to the KEV).
Does this also affect SharePoint Online / Microsoft 365?+
Is patching enough, or do I also need to rotate machine keys?+
The patch closes the flaw against future exploitation but says nothing about whether your farm was already compromised before you applied it. Without confirmed signs of compromise, patching plus hardening (AMSI, reduced exposure) is sufficient. If logs or the filesystem show anything suspicious, additionally rotate machine keys and investigate forensically before considering the farm clean.
What does the CISA KEV listing mean for organizations outside the US?+
Formally, the KEV catalog only obligates US federal agencies (FCEB) to a deadline — here, 19 Jul 2026. In practice, though, listing is a reliable, CISA-curated indicator that a flaw is confirmed being exploited in the wild, regardless of borders. The three-day window is a reasonable yardstick for your own prioritization.
Are there publicly known indicators of compromise (IOCs)?+
As of this writing, none of the sources we checked (MSRC, NVD, CISA, Tenable) had published specific IOCs for CVE-2026-58644 itself — unlike, for example, the 2025 ToolShell incident, for which concrete webshell paths became known. Until such indicators are published, generic log and process monitoring remains the practical safeguard.
Why is CVSS 9.8 justified here when it's "just" deserialization?+
Deserialization flaws in .NET web applications like SharePoint frequently lead directly to code execution in practice, not merely a crash or data leak — the attacker controls the deserialized objects and, through them, potentially the application's control flow. Combined with no authentication requirement (PR:N) and no user interaction (UI:N), the result is the maximum impact across all three CIA axes that the score reflects.
Conclusion
CVE-2026-58644 is not an academic exercise: CVSS 9.8, unauthenticated RCE via deserialization, confirmed actively exploited within a day of publication, and now in the CISA KEV. Also notable is the context — it's already the third actively exploited zero-day from the same July Patch Tuesday batch, alongside CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint, moderate). Microsoft changing its exploitation assessment from “likely” to “active” within 24 hours is a clear reminder: Patch Tuesday's initial ratings are a snapshot, not a final prioritization — re-triage in the days after is mandatory, not optional. And regardless of patch status, the rule still stands: SharePoint farms don't belong directly on the internet.
Sources
- Microsoft MSRC — Security Update Guide: CVE-2026-58644
- NVD — CVE-2026-58644 Detail
- CISA — Known Exploited Vulnerabilities Catalog
- The Hacker News — CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV (Jul 17, 2026)
- Tenable — Microsoft's July 2026 Patch Tuesday: CVE-2026-56155 & CVE-2026-56164
- ComplianceHub.Wiki — Microsoft's Record July 2026 Patch Tuesday: SharePoint Zero-Day & KEV
I audit your SharePoint and Windows Server landscape for patch status and exposure, harden network access and logging, and support you with initial forensic steps if compromise is suspected.
Build-version checks, AMSI enablement, exposure reduction, and log review since the patch date — for SharePoint as well as adjacent on-premises systems.
Ongoing platform operations, not paper advice: I continuously check, patch, and harden your infrastructure.
About the author
![[Translate to English:] Foto von Kai Ole Hartwig.](/fileadmin/_processed_/e/9/csm_ole-neu_73323ad80d.jpeg)
Kai Ole Hartwig
Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.
