Microsoft has disclosed CVE-2026-58644, a critical unauthenticated remote code execution vulnerability affecting supported on-premises editions of SharePoint Server. The flaw carries a CVSS 3.1 base score of 9.8 and can reportedly be exploited over a network without credentials or user interaction.
Published through the Microsoft Security Response Center on July 14, 2026, the vulnerability stems from deserialization of untrusted data in Microsoft Office SharePoint. Microsoft’s record says a successful attacker could execute code remotely, with potentially high impact to confidentiality, integrity, and availability.
The affected-product data points to updates Microsoft released on June 9, rather than a new set of SharePoint packages issued with July Patch Tuesday. That means administrators who installed the June 2026 SharePoint security updates may already have the relevant fix, but farms below Microsoft’s specified build levels remain exposed.
CVE-2026-58644 applies to all three supported branches of Microsoft’s on-premises collaboration platform:
The fixed build for SharePoint Server 2016 is delivered through the June 9 security update KB5002880, with KB5002881 covering the corresponding language-pack components. SharePoint Server 2019 reaches build 16.0.10417.20153 through KB5002874, while SharePoint Server Subscription Edition reaches build 16.0.19725.20384 through KB5002873.
SharePoint updates are cumulative, so a newer properly installed update should also contain the correction. Administrators should nevertheless verify actual farm build levels rather than assuming that Windows Update, Configuration Manager, or a third-party deployment platform completed every stage of the SharePoint servicing process.
That distinction matters because installing update binaries is not always the end of a SharePoint maintenance window. Farm administrators must confirm that required configuration actions completed across every server and that no node was left on an older patch level.
In a vulnerable server application, a crafted serialized payload can cause unexpected classes, methods, or execution paths to run during object reconstruction. An attacker may be able to turn what appears to be application data into instructions executed by the server process.
Microsoft’s CVSS vector is unusually direct: network-accessible, low attack complexity, no privileges required, and no user interaction required. The scope remains unchanged, but Microsoft assigns high impact ratings across data confidentiality, data integrity, and service availability.
For defenders, that combination should outweigh the absence of a detailed public exploit narrative. An internet-facing SharePoint server is a valuable foothold because it commonly has access to business documents, directory-integrated identities, databases, service accounts, and other internal systems.
A compromised SharePoint worker process could be used to deploy a web shell, steal configuration material, alter hosted content, access stored documents, or begin lateral movement. Those are potential consequences of server-side code execution, not evidence that Microsoft has observed those exact activities through CVE-2026-58644.
The technical details published so far remain limited. Microsoft has confirmed the root weakness and affected versions, but the public record does not identify the vulnerable SharePoint endpoint, the required payload format, or a proof-of-concept exploit.
It is not. Report confidence describes the credibility and completeness of the vulnerability information: Microsoft, as the product vendor and CVE numbering authority, has confirmed that the flaw exists and has mapped it to specific affected builds.
The exploit-maturity portion of the current CVSS data is marked unproven. At publication time, CVE-2026-58644 was not identified as one of the July vulnerabilities known to be exploited or publicly disclosed before patches became available.
That should not be confused with CVE-2026-56164, a separate SharePoint Server elevation-of-privilege vulnerability included in the same July 2026 security release. Microsoft and Patch Tuesday reporting identify CVE-2026-56164 as exploited in the wild; CVE-2026-58644 is the critical deserialization RCE discussed here.
The distinction affects incident-response decisions, but it should not push CVE-2026-58644 into a routine patch queue. Its unauthenticated network attack path, low stated complexity, and complete server-compromise potential make exposed systems attractive targets if working exploit details emerge.
SharePoint has also accumulated a recent history of attackers moving quickly from vulnerability disclosure to broad scanning and exploitation. Microsoft’s investigation into the 2025 ToolShell attacks documented web-shell deployment, machine-key theft, credential access, lateral movement, and ransomware activity after attackers compromised unpatched on-premises SharePoint servers. CVE-2026-58644 is a separate vulnerability, but that history demonstrates the operational value of the target.
The practical minimum is to establish whether every farm has reached or exceeded the fixed build:
Internet-facing farms deserve first priority, followed by servers reachable from partner networks, VPN pools, unmanaged devices, or broad internal segments. Restricting inbound access through a reverse proxy, web application firewall, VPN, or tightly scoped firewall rules can reduce exposure while patching is completed, but network filtering is not a substitute for reaching the fixed build.
Security teams should also monitor SharePoint and IIS for unusual POST requests, unexpected ASPX files, newly created scheduled tasks, suspicious child processes launched by
The unusual chronology is the key operational detail: CVE-2026-58644 was disclosed on July 14, but its fixed versions correspond to Microsoft’s June 9, 2026 SharePoint updates. Farms already at those builds can document their protection, while any server below them should be treated as an urgent patching target rather than waiting for another July-specific SharePoint package.
Published through the Microsoft Security Response Center on July 14, 2026, the vulnerability stems from deserialization of untrusted data in Microsoft Office SharePoint. Microsoft’s record says a successful attacker could execute code remotely, with potentially high impact to confidentiality, integrity, and availability.
The affected-product data points to updates Microsoft released on June 9, rather than a new set of SharePoint packages issued with July Patch Tuesday. That means administrators who installed the June 2026 SharePoint security updates may already have the relevant fix, but farms below Microsoft’s specified build levels remain exposed.
Three On-Premises SharePoint Releases Are Affected
CVE-2026-58644 applies to all three supported branches of Microsoft’s on-premises collaboration platform:- Microsoft SharePoint Enterprise Server 2016 builds earlier than 16.0.5556.1005 are affected.
- Microsoft SharePoint Server 2019 builds earlier than 16.0.10417.20153 are affected.
- Microsoft SharePoint Server Subscription Edition builds earlier than 16.0.19725.20384 are affected.
The fixed build for SharePoint Server 2016 is delivered through the June 9 security update KB5002880, with KB5002881 covering the corresponding language-pack components. SharePoint Server 2019 reaches build 16.0.10417.20153 through KB5002874, while SharePoint Server Subscription Edition reaches build 16.0.19725.20384 through KB5002873.
SharePoint updates are cumulative, so a newer properly installed update should also contain the correction. Administrators should nevertheless verify actual farm build levels rather than assuming that Windows Update, Configuration Manager, or a third-party deployment platform completed every stage of the SharePoint servicing process.
That distinction matters because installing update binaries is not always the end of a SharePoint maintenance window. Farm administrators must confirm that required configuration actions completed across every server and that no node was left on an older patch level.
Deserialization Turns a Network Request Into Code Execution
Microsoft classifies CVE-2026-58644 under CWE-502, deserialization of untrusted data. Deserialization vulnerabilities arise when an application reconstructs objects from attacker-controlled input without adequately restricting or validating what those objects can do.In a vulnerable server application, a crafted serialized payload can cause unexpected classes, methods, or execution paths to run during object reconstruction. An attacker may be able to turn what appears to be application data into instructions executed by the server process.
Microsoft’s CVSS vector is unusually direct: network-accessible, low attack complexity, no privileges required, and no user interaction required. The scope remains unchanged, but Microsoft assigns high impact ratings across data confidentiality, data integrity, and service availability.
For defenders, that combination should outweigh the absence of a detailed public exploit narrative. An internet-facing SharePoint server is a valuable foothold because it commonly has access to business documents, directory-integrated identities, databases, service accounts, and other internal systems.
A compromised SharePoint worker process could be used to deploy a web shell, steal configuration material, alter hosted content, access stored documents, or begin lateral movement. Those are potential consequences of server-side code execution, not evidence that Microsoft has observed those exact activities through CVE-2026-58644.
The technical details published so far remain limited. Microsoft has confirmed the root weakness and affected versions, but the public record does not identify the vulnerable SharePoint endpoint, the required payload format, or a proof-of-concept exploit.
Confirmation Does Not Mean Exploitation
The vulnerability’s available scoring data includes a report confidence value indicating that the weakness and its technical classification are confirmed. That metric is sometimes mistaken for a measure of how confident Microsoft is that attackers are exploiting the bug.It is not. Report confidence describes the credibility and completeness of the vulnerability information: Microsoft, as the product vendor and CVE numbering authority, has confirmed that the flaw exists and has mapped it to specific affected builds.
The exploit-maturity portion of the current CVSS data is marked unproven. At publication time, CVE-2026-58644 was not identified as one of the July vulnerabilities known to be exploited or publicly disclosed before patches became available.
That should not be confused with CVE-2026-56164, a separate SharePoint Server elevation-of-privilege vulnerability included in the same July 2026 security release. Microsoft and Patch Tuesday reporting identify CVE-2026-56164 as exploited in the wild; CVE-2026-58644 is the critical deserialization RCE discussed here.
The distinction affects incident-response decisions, but it should not push CVE-2026-58644 into a routine patch queue. Its unauthenticated network attack path, low stated complexity, and complete server-compromise potential make exposed systems attractive targets if working exploit details emerge.
SharePoint has also accumulated a recent history of attackers moving quickly from vulnerability disclosure to broad scanning and exploitation. Microsoft’s investigation into the 2025 ToolShell attacks documented web-shell deployment, machine-key theft, credential access, lateral movement, and ransomware activity after attackers compromised unpatched on-premises SharePoint servers. CVE-2026-58644 is a separate vulnerability, but that history demonstrates the operational value of the target.
The June Build Number Is the Fastest Triage Test
Administrators should first inventory every SharePoint server, including application servers and nodes that are not directly internet-facing. Checking only the front-end server or the update status of the underlying Windows Server installation is insufficient.The practical minimum is to establish whether every farm has reached or exceeded the fixed build:
- SharePoint Server 2016 must be at build 16.0.5556.1005 or later.
- SharePoint Server 2019 must be at build 16.0.10417.20153 or later.
- SharePoint Server Subscription Edition must be at build 16.0.19725.20384 or later.
Internet-facing farms deserve first priority, followed by servers reachable from partner networks, VPN pools, unmanaged devices, or broad internal segments. Restricting inbound access through a reverse proxy, web application firewall, VPN, or tightly scoped firewall rules can reduce exposure while patching is completed, but network filtering is not a substitute for reaching the fixed build.
Security teams should also monitor SharePoint and IIS for unusual POST requests, unexpected ASPX files, newly created scheduled tasks, suspicious child processes launched by
w3wp.exe, and unexplained changes to configuration or machine-key material. Those checks are general hunting measures for possible SharePoint compromise; Microsoft has not yet published CVE-2026-58644-specific indicators of compromise.The unusual chronology is the key operational detail: CVE-2026-58644 was disclosed on July 14, but its fixed versions correspond to Microsoft’s June 9, 2026 SharePoint updates. Farms already at those builds can document their protection, while any server below them should be treated as an urgent patching target rather than waiting for another July-specific SharePoint package.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for SharePoint Enterprise Server 2016: July 8, 2025 (KB5002744) | Microsoft Support
Description of the security update for SharePoint Enterprise Server 2016: July 8, 2025 (KB5002744)support.microsoft.com - Official source: microsoft.com
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities...www.microsoft.com - Related coverage: caloes.ca.gov
</rdf:Alt> </dc:title> <dc:description> <rdf:Alt> <rdf:li xml:lang="x-default"/> </rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contra
</rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contractor) Melanie, Barlow@CalOESwww.caloes.ca.gov
- Related coverage: techradar.com
Microsoft 365 Copilot can be turned into a one-click data theft tool — inbox, OneDrive, and SharePoint data all at risk, so patch now | TechRadar
Varonis found a way to chain three bugs into one exploitwww.techradar.com - Related coverage: tomshardware.com
Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware — three China-affiliated threat actors seen taking advantage | Tom's Hardware
The company has attributed these attacks to a group it calls Storm-2603.www.tomshardware.com