CVE-2026-58644: Patch Critical SharePoint RCE With June Updates

Microsoft has disclosed CVE-2026-58644, a critical unauthenticated remote code execution vulnerability affecting supported on-premises editions of SharePoint Server. The flaw carries a CVSS 3.1 base score of 9.8 and can reportedly be exploited over a network without credentials or user interaction.
Published through the Microsoft Security Response Center on July 14, 2026, the vulnerability stems from deserialization of untrusted data in Microsoft Office SharePoint. Microsoft’s record says a successful attacker could execute code remotely, with potentially high impact to confidentiality, integrity, and availability.
The affected-product data points to updates Microsoft released on June 9, rather than a new set of SharePoint packages issued with July Patch Tuesday. That means administrators who installed the June 2026 SharePoint security updates may already have the relevant fix, but farms below Microsoft’s specified build levels remain exposed.

A security dashboard shows patched SharePoint servers facing an external threat labeled CVE-2026-58644.Three On-Premises SharePoint Releases Are Affected​

CVE-2026-58644 applies to all three supported branches of Microsoft’s on-premises collaboration platform:
  • Microsoft SharePoint Enterprise Server 2016 builds earlier than 16.0.5556.1005 are affected.
  • Microsoft SharePoint Server 2019 builds earlier than 16.0.10417.20153 are affected.
  • Microsoft SharePoint Server Subscription Edition builds earlier than 16.0.19725.20384 are affected.
The vulnerability record does not list SharePoint Online in Microsoft 365 as an affected product. The immediate exposure therefore sits with organizations operating their own SharePoint farms on Windows Server, particularly deployments reachable from the public internet or from less-trusted internal network segments.
The fixed build for SharePoint Server 2016 is delivered through the June 9 security update KB5002880, with KB5002881 covering the corresponding language-pack components. SharePoint Server 2019 reaches build 16.0.10417.20153 through KB5002874, while SharePoint Server Subscription Edition reaches build 16.0.19725.20384 through KB5002873.
SharePoint updates are cumulative, so a newer properly installed update should also contain the correction. Administrators should nevertheless verify actual farm build levels rather than assuming that Windows Update, Configuration Manager, or a third-party deployment platform completed every stage of the SharePoint servicing process.
That distinction matters because installing update binaries is not always the end of a SharePoint maintenance window. Farm administrators must confirm that required configuration actions completed across every server and that no node was left on an older patch level.

Deserialization Turns a Network Request Into Code Execution​

Microsoft classifies CVE-2026-58644 under CWE-502, deserialization of untrusted data. Deserialization vulnerabilities arise when an application reconstructs objects from attacker-controlled input without adequately restricting or validating what those objects can do.
In a vulnerable server application, a crafted serialized payload can cause unexpected classes, methods, or execution paths to run during object reconstruction. An attacker may be able to turn what appears to be application data into instructions executed by the server process.
Microsoft’s CVSS vector is unusually direct: network-accessible, low attack complexity, no privileges required, and no user interaction required. The scope remains unchanged, but Microsoft assigns high impact ratings across data confidentiality, data integrity, and service availability.
For defenders, that combination should outweigh the absence of a detailed public exploit narrative. An internet-facing SharePoint server is a valuable foothold because it commonly has access to business documents, directory-integrated identities, databases, service accounts, and other internal systems.
A compromised SharePoint worker process could be used to deploy a web shell, steal configuration material, alter hosted content, access stored documents, or begin lateral movement. Those are potential consequences of server-side code execution, not evidence that Microsoft has observed those exact activities through CVE-2026-58644.
The technical details published so far remain limited. Microsoft has confirmed the root weakness and affected versions, but the public record does not identify the vulnerable SharePoint endpoint, the required payload format, or a proof-of-concept exploit.

Confirmation Does Not Mean Exploitation​

The vulnerability’s available scoring data includes a report confidence value indicating that the weakness and its technical classification are confirmed. That metric is sometimes mistaken for a measure of how confident Microsoft is that attackers are exploiting the bug.
It is not. Report confidence describes the credibility and completeness of the vulnerability information: Microsoft, as the product vendor and CVE numbering authority, has confirmed that the flaw exists and has mapped it to specific affected builds.
The exploit-maturity portion of the current CVSS data is marked unproven. At publication time, CVE-2026-58644 was not identified as one of the July vulnerabilities known to be exploited or publicly disclosed before patches became available.
That should not be confused with CVE-2026-56164, a separate SharePoint Server elevation-of-privilege vulnerability included in the same July 2026 security release. Microsoft and Patch Tuesday reporting identify CVE-2026-56164 as exploited in the wild; CVE-2026-58644 is the critical deserialization RCE discussed here.
The distinction affects incident-response decisions, but it should not push CVE-2026-58644 into a routine patch queue. Its unauthenticated network attack path, low stated complexity, and complete server-compromise potential make exposed systems attractive targets if working exploit details emerge.
SharePoint has also accumulated a recent history of attackers moving quickly from vulnerability disclosure to broad scanning and exploitation. Microsoft’s investigation into the 2025 ToolShell attacks documented web-shell deployment, machine-key theft, credential access, lateral movement, and ransomware activity after attackers compromised unpatched on-premises SharePoint servers. CVE-2026-58644 is a separate vulnerability, but that history demonstrates the operational value of the target.

The June Build Number Is the Fastest Triage Test​

Administrators should first inventory every SharePoint server, including application servers and nodes that are not directly internet-facing. Checking only the front-end server or the update status of the underlying Windows Server installation is insufficient.
The practical minimum is to establish whether every farm has reached or exceeded the fixed build:
  • SharePoint Server 2016 must be at build 16.0.5556.1005 or later.
  • SharePoint Server 2019 must be at build 16.0.10417.20153 or later.
  • SharePoint Server Subscription Edition must be at build 16.0.19725.20384 or later.
Organizations that installed the June 9 packages should validate successful deployment and run the appropriate SharePoint configuration process where required by their servicing procedure. Failed configuration jobs, missing language-pack updates, servers omitted from maintenance, and incomplete farm rollouts can all leave inconsistent versions behind.
Internet-facing farms deserve first priority, followed by servers reachable from partner networks, VPN pools, unmanaged devices, or broad internal segments. Restricting inbound access through a reverse proxy, web application firewall, VPN, or tightly scoped firewall rules can reduce exposure while patching is completed, but network filtering is not a substitute for reaching the fixed build.
Security teams should also monitor SharePoint and IIS for unusual POST requests, unexpected ASPX files, newly created scheduled tasks, suspicious child processes launched by w3wp.exe, and unexplained changes to configuration or machine-key material. Those checks are general hunting measures for possible SharePoint compromise; Microsoft has not yet published CVE-2026-58644-specific indicators of compromise.
The unusual chronology is the key operational detail: CVE-2026-58644 was disclosed on July 14, but its fixed versions correspond to Microsoft’s June 9, 2026 SharePoint updates. Farms already at those builds can document their protection, while any server below them should be treated as an urgent patching target rather than waiting for another July-specific SharePoint package.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Official source: microsoft.com
  4. Related coverage: caloes.ca.gov
  5. Related coverage: techradar.com
  6. Related coverage: tomshardware.com
 

Back
Top