>samit_hota
Back to advisories
SH-2026-134CriticalOpen

Critical SharePoint RCE (CVE-2026-58644) Actively Exploited – Immediate Action Required

Samit Hota·
CVE ID
CVE-2026-58644
CVSS Score
9.8
Affected Products
Microsoft SharePoint
#kev#microsoft

Overview

Today marks a critical juncture for organizations running on-premises Microsoft SharePoint Server deployments. A deserialization of untrusted data vulnerability, tracked as CVE-2026-58644, has been identified in Microsoft SharePoint, allowing an unauthenticated attacker to execute arbitrary code over the network. This vulnerability carries a maximum CVSSv3.1 score of 9.8 (CRITICAL), reflecting the severe risk it poses. Initially disclosed as part of the July 2026 Patch Tuesday, CISA has now confirmed active exploitation of this flaw and added it to their Known Exploited Vulnerabilities (KEV) Catalog as of July 16, 2026. This mandates immediate action, as outlined by CISA’s Binding Operational Directive (BOD) 26-04, with a remediation deadline of July 19, 2026.

Technical Details

CVE-2026-58644 is categorized as a Deserialization of Untrusted Data vulnerability, mapping to CWE-502. This class of vulnerability arises when an application reconstructs objects from attacker-controlled input without sufficient validation or restriction on what those objects can do. In the context of SharePoint, an unauthenticated attacker can send a specially crafted network request containing a malicious serialized payload. When the vulnerable SharePoint server attempts to deserialize this data, it can inadvertently trigger unexpected classes, methods, or execution paths, ultimately leading to arbitrary code execution on the underlying server.

The exploitability of this flaw is particularly alarming due to its low attack complexity, requiring no prior authentication or user interaction. This means an attacker can target any internet-facing SharePoint instance running a vulnerable version directly over the network to achieve full remote code execution. Successful exploitation grants the attacker complete control over the compromised SharePoint server, impacting confidentiality, integrity, and availability.

The vulnerability affects all supported on-premises editions of SharePoint Server, specifically Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. It’s crucial to note that SharePoint Online (Microsoft 365) is not impacted by this particular vulnerability.

Real-World Impact

The inclusion of CVE-2026-58644 in CISA’s KEV Catalog on July 16, 2026, confirms that this vulnerability is not merely theoretical but is actively being exploited in the wild. This elevates the urgency significantly. Organizations must assume that adversaries are already scanning for and attempting to exploit this flaw against internet-exposed SharePoint deployments.

The historical context of SharePoint vulnerabilities further underscores the severity. SharePoint servers have consistently been high-value targets for various threat actors. Microsoft’s previous investigations into incidents like the 2025 “ToolShell” attacks, which involved web-shell deployment, machine-key theft, credential access, lateral movement, and even ransomware activity following SharePoint compromises, illustrate the potential cascading impact of such breaches. While those were different vulnerabilities, they establish a clear pattern: attackers move rapidly from disclosure to widespread exploitation of critical SharePoint flaws. Indeed, Shadowserver currently tracks nearly 10,000 internet-exposed Microsoft SharePoint servers globally, highlighting the vast attack surface available to adversaries.

Given the nature of a deserialization RCE, a successful attack could lead to unauthorized access to sensitive documents, modification of hosted content, or the establishment of persistent backdoors on enterprise networks. This makes SharePoint a prime target for initial access into an organization’s internal infrastructure, facilitating data exfiltration, lateral movement, and potentially broader system compromise.

Threat Landscape

The threat landscape surrounding critical SharePoint vulnerabilities is characterized by rapid weaponization and diverse threat actors. While specific threat actors linked directly to the active exploitation of CVE-2026-58644 are not yet publicly detailed beyond “cyber threat actors,” the history of SharePoint exploitation is rich with sophisticated adversaries. For instance, Microsoft has previously observed Chinese nation-state actors such as Linen Typhoon and Violet Typhoon, alongside another China-based group tracked as Storm-2603, actively exploiting other SharePoint vulnerabilities. This demonstrates the strategic importance of SharePoint as a target for nation-state espionage and other advanced persistent threats (APTs).

The recurring pattern of critical deserialization vulnerabilities in SharePoint, including several in 2025 and 2026 such as CVE-2026-20963 and multiple RCEs in May 2026, suggests an ongoing architectural weakness that makes these servers attractive targets. The rapid addition of CVE-2026-58644 to the KEV catalog, alongside other recently exploited SharePoint flaws (CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164), indicates a concerted effort by attackers to compromise these platforms. The low complexity and lack of authentication required for exploitation mean that even less sophisticated threat actors can leverage this vulnerability effectively once public exploit code becomes available, further broadening the threat. Microsoft’s own assessment that “Exploitation More Likely” is a strong indicator of the perceived risk.

Remediation

Immediate and decisive action is paramount to mitigate the risk posed by CVE-2026-58644. The primary remediation is to apply the security updates provided by Microsoft without delay. Microsoft has released patches addressing this vulnerability for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.

Organizations subject to CISA’s Binding Operational Directive (BOD) 26-04, “Prioritizing Security Updates Based on Risk,” must adhere to strict timelines. Given that CVE-2026-58644 is a publicly exposed, actively exploited vulnerability that grants total control without authentication, it falls into the highest priority category under BOD 26-04. This mandates remediation within three calendar days of its inclusion in the KEV catalog, which was July 16, 2026. Therefore, the remediation deadline for federal agencies and other critical infrastructure is July 19, 2026.

Furthermore, BOD 26-04 requires a mandatory “forensic triage” for such high-risk, exploited vulnerabilities to assess whether the system has already been compromised. This involves:

  • Activating incident response teams immediately upon KEV notification.
  • Scoping the notification to identify impacted systems and services.
  • Conducting indicator-of-compromise (IoC) sweeps in logs and other telemetry.
  • Producing a forensic triage report within 48-72 hours.

Beyond patching, organizations should consider these additional defensive measures:

  • Restrict Network Access: Limit external network exposure of SharePoint servers using firewalls or Web Application Firewalls (WAFs) to block untrusted external traffic to SharePoint endpoints until patches are fully deployed.
  • Inventory and Prioritize: Accurately inventory all SharePoint servers, including application servers and non-internet-facing nodes, and prioritize patching based on internet exposure.
  • Enable AMSI Integration: Ensure Antimalware Scan Interface (AMSI) integration is enabled for all SharePoint web applications, configured for “Full Mode” request body scanning where feasible, to enhance detection of exploitation attempts.
  • Monitor for Exploitation: Implement continuous monitoring for anomalous SharePoint process behavior and signs of exploitation or unusual activity. This includes utilizing Microsoft Defender Antivirus (MDAV) detections for known exploit patterns.
  • Rotate Credentials: After patching, rotate machine keys and service account credentials to invalidate any pre-existing attacker-staged payloads.

Organizations should not delay patching this critical vulnerability. Failure to act swiftly significantly increases the risk of a severe breach.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call