Kai Ole Hartwig
11 min read
Critical
By

SharePoint CVE-2026-58644: deserialization enables unauthenticated RCE — now in the CISA KEV, patched since Jul 14

On 14 July 2026, as part of July Patch Tuesday, Microsoft closed CVE-2026-58644 (CVSS 3.1: 9.8, Critical; CWE-502, Deserialization of Untrusted Data). The flaw sits in Microsoft SharePoint Server and lets an unauthenticated attacker achieve remote code execution over the network without any user interaction — the classic “wormable” vulnerability profile. Just one day after the patch, on 15 July, Microsoft confirmed active exploitation in the wild; CISA soon added the CVE to its Known Exploited Vulnerabilities catalog. Affected are SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition — each below the patched build numbers. SharePoint Online (Microsoft 365) is not affected. This flaw is also not isolated: the same patch batch produced two more actively exploited zero-days, CVE-2026-56155 (AD FS, privilege escalation) and CVE-2026-56164 (SharePoint, moderate).

TL;DR — 90 seconds

Affected?

SharePoint Enterprise Server 2016 (x64) before build 16.0.5556.1005; SharePoint Server 2019 (x64) before build 16.0.10417.20153; SharePoint Server Subscription Edition (x64) before build 16.0.19725.20384. SharePoint Online (Microsoft 365) is not listed among the affected products in NVD.

Risk?

CVSS 3.1: 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Deserialization of untrusted data (CWE-502) enables remote code execution without authentication and without user interaction. Microsoft confirmed active exploitation on 15 Jul 2026; CISA added it to the KEV on 16/17 Jul 2026.

Immediate action?

Install the July 2026 security update for your SharePoint version via the official Microsoft Update Catalog or the MSRC advisory for CVE-2026-58644. Then enable AMSI integration per web application and never expose a SharePoint farm directly to the internet.

Recommendation?

For internet-reachable farms: patch today, not in the next maintenance window. US federal agencies (FCEB) had to remediate by 19 Jul 2026 per the CISA KEV entry — a reasonable yardstick for urgency outside the US as well.

Criticality?

critical — unauthenticated RCE, actively exploited, in the CISA KEV, the third zero-day from the same patch batch.

What is the problem?

CVE-2026-58644 is a deserialization vulnerability (CWE-502, “Deserialization of Untrusted Data”) in Microsoft SharePoint Server. In this bug class, the application processes serialized object data from an untrusted source without sufficiently validating its origin or structure — an attacker can inject specially crafted serialized data that, once deserialized, executes arbitrary code in the context of the SharePoint application process.

The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H shows the full extent: network-based attack (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and complete loss of confidentiality, integrity, and availability. In practice: an attacker who can reach a vulnerable SharePoint web application over the network needs neither an account nor any user interaction to execute code on the server.

Microsoft initially rated the flaw as “exploitation more likely” when it was first published on 14 July 2026, then updated the assessment the very next day to confirmed active exploitation — a pattern repeatedly seen with SharePoint deserialization bugs since the ToolShell incident (CVE-2025-53770/-53771) the year before.

Who is affected?

AffectedNot affectedConditions
SharePoint Enterprise Server 2016 (x64) before build 16.0.5556.1005SharePoint Online (Microsoft 365) — operated centrally by Microsoft, not listed among this CVE's affected products in NVDAttacker must be able to reach the SharePoint web application over the network
SharePoint Server 2019 (x64) before build 16.0.10417.20153Farms already updated to the patched build numbersNo authentication and no user interaction required (PR:N, UI:N)
SharePoint Server Subscription Edition (x64) before build 16.0.19725.20384Pure SharePoint Foundation installs with no network reachability (reduced, not eliminated, risk)Especially critical with direct internet exposure or missing network segmentation

Get the exact build comparison via (Get-SPFarm).BuildVersion in the SharePoint Management Shell, or the server overview in Central Administration under “Manage servers in this farm.”

Impact

The impact is maximal in the literal sense: CVSS 9.8 with complete loss of confidentiality, integrity, and availability means a successful attack effectively hands the attacker control over the SharePoint application process — with access to every document, list, and permission structure stored in the farm, plus the ability to move laterally into connected systems (Active Directory integration, file shares, linked services).

Particularly relevant for risk assessment: this flaw is already being actively exploited, not merely theoretically vulnerable. Microsoft's own re-assessment from “likely exploited” to “actively exploited” within a single day shows how quickly the situation can shift for a freshly patched but publicly referenced vulnerability — organizations that deferred the patch based on the initial assessment were sitting on a stale risk decision within 24 hours.

Because SharePoint servers are, in many organizations, run as a central document and collaboration store with deep AD integration, the blast radius of a successful attack is typically far larger than an isolated application compromise.

Mitigation / immediate steps

Operational decision block

Step 1 — check build version and patch

 

# check the farm's current build version (SharePoint Management Shell)
(Get-SPFarm).BuildVersion

# target values (patched, July 2026):
# SharePoint Enterprise Server 2016:        16.0.5556.1005
# SharePoint Server 2019:                   16.0.10417.20153
# SharePoint Server Subscription Edition:    16.0.19725.20384

# get the matching security update for your version and language
# exclusively via the official MSRC advisory for CVE-2026-58644:
# msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644
# (it lists the exact update/KB mapping per farm configuration —
#  we deliberately don't quote a KB number here to avoid a wrong match)

 

Step 2 — enable AMSI integration

Microsoft lists Antimalware Scan Interface (AMSI) integration per web application as an additional mitigation that can detect and block malicious POST requests — independent of patch status. See Microsoft's “SharePoint Server security-hardening guidance”, linked in the sources below, for the exact configuration steps per SharePoint version.

Step 3 — reduce exposure

 

# rule of thumb, independent of patch status:
# - never expose SharePoint Central Administration to the internet
# - only expose web applications via a reverse proxy/WAF with restricted paths
# - review network segmentation between the SharePoint farm and the rest of the internal network

Detection / verification

Check patch status

 

# SharePoint Management Shell
(Get-SPFarm).BuildVersion

# alternatively: Central Administration → System Settings →
# “Manage servers in this farm” → compare the build number per server

 

Review logs for anomalies

At the time of writing, no publicly published indicators of compromise (IOCs) specific to CVE-2026-58644 itself were available from Microsoft or CISA in the sources we reviewed — the steps below are generic best practices derived from prior SharePoint deserialization RCEs (such as ToolShell, CVE-2025-53770/-53771), not confirmed indicators for this specific flaw:

 

# review IIS/ULS logs for unusual POST requests since 14 Jul 2026,
# especially from unexpected external source IPs
# ULS log directory (default):
# %ProgramFiles%\Common Files\microsoft shared\Web Server Extensions\16\LOGS

# unexpected child processes of the SharePoint IIS worker process (w3wp.exe)
# are a classic post-exploitation indicator for .NET deserialization RCEs
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object { $_.Message -match 'w3wp.exe' }

# check for unexpected new or modified files under the SharePoint web root/LAYOUTS directory
Get-ChildItem "$env:ProgramFiles\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }

 

If anything looks suspicious: CISA and Microsoft generally recommend rotating the farm's IIS/ASP.NET machine keys where exploitation is suspected, since deserialization attacks of this class have historically enabled follow-on attacks built on stolen machine keys in the SharePoint ecosystem — again, this is precedent-based guidance, not a confirmed statement about CVE-2026-58644 itself.

Operator guidance

Mid-market

Patch immediately, not in the next maintenance window — CVSS 9.8, confirmed active exploitation, and CISA KEV listing justify an emergency rollout outside the regular cycle, especially for internet-reachable farms.

Enterprise / multi-site

In addition to patching: enable AMSI integration per web application, reduce the farm's network exposure (no direct internet reachability for Central Administration), and review logs retroactively since 14 Jul 2026 for anomalies. If there are signs of compromise: prioritize machine-key rotation and forensic analysis over patching alone.

Public sector / regulated industries

US federal agencies (FCEB) had to remediate by 19 Jul 2026 per the CISA KEV entry — a three-day window from listing. Even without a direct equivalent reporting obligation elsewhere, this timeframe is a realistic yardstick for urgency at any organization with elevated protection needs.

Decision block

Act today if: SharePoint Server 2016/2019/Subscription Edition is running in production, network-reachable, and unpatched. Monitoring is enough if: you exclusively use SharePoint Online, or the farm is already on the patched build and exposure is minimized.

Frequently asked questions about CVE-2026-58644

Is this the same flaw as the other two zero-days from July Patch Tuesday?+

No. The same patch batch produced three separate, actively exploited zero-days: CVE-2026-56155 (AD FS, CVSS 7.8, privilege escalation to administrator rights), CVE-2026-56164 (SharePoint, CVSS 5.3, moderate, mitigable via AMSI), and CVE-2026-58644 (SharePoint, CVSS 9.8, unauthenticated RCE via deserialization — the most severe of the three and, per our sources, the only one added to the KEV).

Does this also affect SharePoint Online / Microsoft 365?+

Based on the affected products listed in NVD, no — the CVE affects on-premises editions only (Enterprise Server 2016, Server 2019, Subscription Edition). SharePoint Online is operated and patched centrally by Microsoft and does not appear in this CVE's product list.

Is patching enough, or do I also need to rotate machine keys?+

The patch closes the flaw against future exploitation but says nothing about whether your farm was already compromised before you applied it. Without confirmed signs of compromise, patching plus hardening (AMSI, reduced exposure) is sufficient. If logs or the filesystem show anything suspicious, additionally rotate machine keys and investigate forensically before considering the farm clean.

What does the CISA KEV listing mean for organizations outside the US?+

Formally, the KEV catalog only obligates US federal agencies (FCEB) to a deadline — here, 19 Jul 2026. In practice, though, listing is a reliable, CISA-curated indicator that a flaw is confirmed being exploited in the wild, regardless of borders. The three-day window is a reasonable yardstick for your own prioritization.

Are there publicly known indicators of compromise (IOCs)?+

As of this writing, none of the sources we checked (MSRC, NVD, CISA, Tenable) had published specific IOCs for CVE-2026-58644 itself — unlike, for example, the 2025 ToolShell incident, for which concrete webshell paths became known. Until such indicators are published, generic log and process monitoring remains the practical safeguard.

Why is CVSS 9.8 justified here when it's "just" deserialization?+

Deserialization flaws in .NET web applications like SharePoint frequently lead directly to code execution in practice, not merely a crash or data leak — the attacker controls the deserialized objects and, through them, potentially the application's control flow. Combined with no authentication requirement (PR:N) and no user interaction (UI:N), the result is the maximum impact across all three CIA axes that the score reflects.

Conclusion

CVE-2026-58644 is not an academic exercise: CVSS 9.8, unauthenticated RCE via deserialization, confirmed actively exploited within a day of publication, and now in the CISA KEV. Also notable is the context — it's already the third actively exploited zero-day from the same July Patch Tuesday batch, alongside CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint, moderate). Microsoft changing its exploitation assessment from “likely” to “active” within 24 hours is a clear reminder: Patch Tuesday's initial ratings are a snapshot, not a final prioritization — re-triage in the days after is mandatory, not optional. And regardless of patch status, the rule still stands: SharePoint farms don't belong directly on the internet.

Sources

I audit your SharePoint and Windows Server landscape for patch status and exposure, harden network access and logging, and support you with initial forensic steps if compromise is suspected.

Build-version checks, AMSI enablement, exposure reduction, and log review since the patch date — for SharePoint as well as adjacent on-premises systems.

Ongoing platform operations, not paper advice: I continuously check, patch, and harden your infrastructure.

Book a call

About the author

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.