SharePoint unauthenticated RCE exploited (CVE-2026-58644)
CVE-2026-58644
CVE-2026-58644: Critical deserialization RCE in Microsoft Office SharePoint, actively exploited, CVSS 9.8. No authentication required. Apply the July 2026 Patch Tuesday update immediately.
Actively exploited in the wild - CVE-2026-58644 is a critical deserialization vulnerability in Microsoft Office SharePoint Server that grants unauthenticated remote code execution over the network. Patched in the July 2026 Security Update; apply immediately.
Overview
CVE-2026-58644 is a deserialization of untrusted data flaw affecting Microsoft Office SharePoint Server. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted network request to an affected SharePoint server. Because the attack requires no user interaction, no authentication, and has a low complexity score (CVSS 9.8), it is trivial for adversaries to weaponize at scale.
The vulnerability, confirmed by CISA on the Known Exploited Vulnerabilities (KEV) catalog, is already being actively exploited in the wild. The Exploit Prediction Scoring System (EPSS) estimates a 1.3% probability of exploitation within the next 30 days, which is notably high and suggests ongoing or imminent threat activity.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the SharePoint application pool. This typically grants SYSTEM-level access on the web server, enabling attackers to:
- Install backdoors and malware
- Exfiltrate sensitive documents and databases
- Move laterally across the internal network
- Disrupt SharePoint services or use the server as a pivot point for broader attacks
Organizations using Microsoft Office SharePoint Server (all supported versions) are at immediate risk.
Remediation
Microsoft has released a security update as part of the July 2026 Patch Tuesday cycle. Administrators should:
- Apply the latest cumulative update for SharePoint Server immediately.
- Prioritize this update above other patches given active exploitation and the lack of required authentication.
- Review network logs for suspicious inbound requests to SharePoint endpoints, particularly those containing serialized objects.
- Restrict network access to SharePoint servers to trusted IP ranges where possible as a temporary mitigation.
For organizations unable to patch immediately, deploy a web application firewall (WAF) rule to block known deserialization payloads, though this is not a complete replacement for the patch.
Related Threats
- Weekly Threat Roundup: Orkes Conductor RCE (June 29–July 5)
- SharePoint RCE CVE-2026-45659 added to CISA KEV
- Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
Security Insight
The rapid addition of CVE-2026-58644 to CISA’s KEV catalog within days of Patch Tuesday mirrors the pattern seen with CVE-2026-45659, another SharePoint RCE flaw that was exploited before a patch was widely deployed. This suggests adversaries are specifically targeting Microsoft’s enterprise collaboration platform for initial access. The deserialization vector is particularly concerning because it bypasses traditional authentication controls, and the low attack complexity means automated scanning tools will rapidly incorporate this exploit. Organizations relying on SharePoint as a document management backbone should treat this as a zero-trust boundary event and reassess how they segment server workloads.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network....
Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network....
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network....
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object....
Other Microsoft Sharepoint Server Vulnerabilities
Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network....
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network....
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network....