Executive Summary
CVE-2026-58644 is a critical unauthenticated remote code execution vulnerability in Microsoft SharePoint caused by insecure deserialization of untrusted data (CWE-502). An attacker with network access to a SharePoint server can send a specially crafted request to trigger deserialization of attacker-controlled content, achieving code execution under the SharePoint application pool identity — typically a domain service account with broad network access.
CISA added CVE-2026-58644 to the Known Exploited Vulnerabilities catalogue on 16 July 2026 with an unusually short remediation deadline of 19 July 2026 (three business days), consistent with confirmed or imminent active exploitation. The tight deadline aligns with CISA’s BOD 26-04 guidance for high-priority patching.
SharePoint is a high-value target. It hosts internal documents, collaboration workflows, HR records, and frequently holds credentials and service account details in configuration files or site content. Compromising a SharePoint server in an enterprise environment routinely provides lateral movement paths to Active Directory and adjacent systems.
Affected Versions
Microsoft SharePoint has multiple product lines sharing the same code base. All of the following are affected unless patched:
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016
SharePoint Online (Microsoft 365) is not affected — Microsoft applies patches to cloud-hosted instances directly. Organizations running on-premises SharePoint deployments must apply the update manually.
Exact version boundaries are documented in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644.
Vulnerability Details
Deserialization vulnerabilities in .NET applications typically involve object graphs being reconstructed from attacker-supplied byte streams. When a .NET application deserializes untrusted data using unsafe formatters — historically BinaryFormatter, NetDataContractSerializer, or similar — an attacker can craft a payload that invokes arbitrary code through .NET’s object construction mechanism, often using gadget chains from commonly loaded assemblies.
SharePoint has a history of deserialization vulnerabilities along this pattern. CVE-2019-0604 exploited a deserialization flaw in SharePoint’s SOAP web services to achieve pre-authentication RCE. CVE-2024-38094 similarly targeted SharePoint’s deserialization handling and was actively exploited by ransomware operators within weeks of disclosure.
CVE-2026-58644 follows the same class. Microsoft’s advisory describes the attack as code execution over a network by an unauthorized attacker, confirming the pre-authentication nature of the flaw. The specific endpoint and gadget chain have not been publicly detailed as of this writing, consistent with Microsoft’s practice of withholding exploitation mechanics immediately post-patch. Based on the CVE’s CWE-502 classification and Microsoft’s description, the vulnerable code path processes incoming HTTP or SOAP requests without first authenticating the request and deserializes attacker-supplied content as part of that processing.
CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). All high severity components reflect the worst case: network-reachable, low attack complexity, no privilege requirement, no user interaction needed, and full compromise of confidentiality, integrity, and availability.
Exploitation in the Wild
CISA’s 16 July 2026 KEV addition with a 19 July deadline indicates that exploitation has been confirmed or is considered by CISA to be imminent based on threat intelligence. The three-day deadline is shorter than the standard 21-day window applied to newly discovered vulnerabilities and signals elevated urgency.
No specific threat actor or campaign has been publicly attributed at time of writing. SharePoint deserialization vulnerabilities have historically been exploited by:
- Initial access brokers selling footholds into enterprise networks
- Ransomware operators using SharePoint as a lateral movement pivot after initial domain access
- Nation-state actors (specifically APT groups associated with China, Iran, and Russia) who have exploited prior SharePoint CVEs including CVE-2019-0604 and CVE-2024-38094
CVE-2024-38094 was exploited in the wild as early as 2024 to achieve persistent access to SharePoint farms used by government agencies, with attackers using the SharePoint identity to pivot into Active Directory and establish domain persistence. A similar operational pattern is expected for CVE-2026-58644.
Shodan and Censys scanning data consistently shows tens of thousands of on-premises SharePoint instances directly exposed to the internet, primarily in education, government, and manufacturing sectors. These are the most immediately exposed population.
Patch and Remediation
Apply the Microsoft security update released for CVE-2026-58644 immediately. The update is available through Windows Update, Microsoft Update Catalog, and Windows Server Update Services (WSUS). For federal agencies, CISA’s BOD 26-04 requires application by 19 July 2026.
For organizations that cannot patch immediately:
- Restrict network access to SharePoint from untrusted networks. SharePoint web front ends should not be exposed directly to the internet without a web application firewall or reverse proxy.
- Review IIS and SharePoint ULS logs for anomalous POST requests to SharePoint’s SOAP endpoints or API paths.
- Ensure SharePoint application pool identities operate under least-privilege service accounts and not domain administrator credentials.
There is no workaround that removes the attack surface without restricting SharePoint functionality. The patch is the required remediation.
Detection
Look for the following indicators:
Network-level: Anomalous POST requests to SharePoint SOAP endpoints (/_vti_bin/, /_api/, /_layouts/) from untrusted source IP ranges, especially without a valid authentication token in the Authorization header.
IIS logs: HTTP 500 responses to POST requests targeting SharePoint service endpoints may indicate failed exploitation attempts. HTTP 200 responses to the same patterns warrant investigation.
Process execution: Unusual child processes spawned from w3wp.exe (the IIS worker process hosting SharePoint) — particularly cmd.exe, powershell.exe, or wscript.exe. SharePoint application pools should not routinely spawn shell processes.
SharePoint ULS logs: Located at %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\LOGS\, ULS logs capture SharePoint application events. Look for deserialization exceptions or unexpected process execution events.
Windows Event Logs: Event ID 4688 (Process Creation) on SharePoint servers, filtered for w3wp.exe parent processes spawning unexpected child processes.
If exploitation is suspected, preserve SharePoint ULS logs, IIS logs, and Windows Event Logs before applying the patch, as patching may alter system state relevant to forensic investigation.