Critical (9.8) Actively Exploited

SharePoint unauthenticated RCE exploited (CVE-2026-58644)

CVE-2026-58644

CVE-2026-58644: Critical deserialization RCE in Microsoft Office SharePoint, actively exploited, CVSS 9.8. No authentication required. Apply the July 2026 Patch Tuesday update immediately.

Affected: Microsoft Sharepoint Server

Actively exploited in the wild - CVE-2026-58644 is a critical deserialization vulnerability in Microsoft Office SharePoint Server that grants unauthenticated remote code execution over the network. Patched in the July 2026 Security Update; apply immediately.

Overview

CVE-2026-58644 is a deserialization of untrusted data flaw affecting Microsoft Office SharePoint Server. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted network request to an affected SharePoint server. Because the attack requires no user interaction, no authentication, and has a low complexity score (CVSS 9.8), it is trivial for adversaries to weaponize at scale.

The vulnerability, confirmed by CISA on the Known Exploited Vulnerabilities (KEV) catalog, is already being actively exploited in the wild. The Exploit Prediction Scoring System (EPSS) estimates a 1.3% probability of exploitation within the next 30 days, which is notably high and suggests ongoing or imminent threat activity.

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the SharePoint application pool. This typically grants SYSTEM-level access on the web server, enabling attackers to:

  • Install backdoors and malware
  • Exfiltrate sensitive documents and databases
  • Move laterally across the internal network
  • Disrupt SharePoint services or use the server as a pivot point for broader attacks

Organizations using Microsoft Office SharePoint Server (all supported versions) are at immediate risk.

Remediation

Microsoft has released a security update as part of the July 2026 Patch Tuesday cycle. Administrators should:

  1. Apply the latest cumulative update for SharePoint Server immediately.
  2. Prioritize this update above other patches given active exploitation and the lack of required authentication.
  3. Review network logs for suspicious inbound requests to SharePoint endpoints, particularly those containing serialized objects.
  4. Restrict network access to SharePoint servers to trusted IP ranges where possible as a temporary mitigation.

For organizations unable to patch immediately, deploy a web application firewall (WAF) rule to block known deserialization payloads, though this is not a complete replacement for the patch.

Security Insight

The rapid addition of CVE-2026-58644 to CISA’s KEV catalog within days of Patch Tuesday mirrors the pattern seen with CVE-2026-45659, another SharePoint RCE flaw that was exploited before a patch was widely deployed. This suggests adversaries are specifically targeting Microsoft’s enterprise collaboration platform for initial access. The deserialization vector is particularly concerning because it bypasses traditional authentication controls, and the low attack complexity means automated scanning tools will rapidly incorporate this exploit. Organizations relying on SharePoint as a document management backbone should treat this as a zero-trust boundary event and reassess how they segment server workloads.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Related Advisories

Other Microsoft Sharepoint Server Vulnerabilities

View all Microsoft Sharepoint Server vulnerabilities →

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.