CVE-2026-58644: SharePoint Server Unauthenticated Deserialization RCE (July 2026 Patch Tuesday) — Find Vulnerable Instances
Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability that lets unauthenticated attackers execute arbitrary code over the network. CVSS 9.8 Critical, rated "Exploitation More Likely" by Microsoft. Part of a cluster of four critical SharePoint vulnerabilities patched on July 14, 2026 — including one already exploited in the wild and another demonstrated at Pwn2Own Berlin 2026. The same patches also address CVE-2026-56164, which is CISA KEV listed.
The Vulnerability
CVE-2026-58644 (CWE-502: Deserialization of Untrusted Data) is a remote code execution vulnerability in Microsoft SharePoint Server. An unauthenticated attacker can send a crafted request that triggers unsafe deserialization, executing arbitrary code on the server. The attack requires no authentication (PR:N), no user interaction, and has low complexity.
- CVSS: 9.8 Critical (Microsoft v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — MSRC Advisory
- CWE: CWE-502 (Deserialization of Untrusted Data)
- AFFECTED: SharePoint Server Subscription Edition (below 16.0.19725.20434), SharePoint Server 2019 (below 16.0.10417.20175), SharePoint Enterprise Server 2016 (below 16.0.5561.1001)
- FIXED: KB5002882 (Subscription Edition), KB5002883/KB5002885 (2019), KB5002891/KB5002892 (2016) — released July 14, 2026
- EXPLOITED: Not yet confirmed in the wild — Microsoft rates "Exploitation More Likely"
- RELATED: CVE-2026-50522 (RCE, CVSS 9.8 — demonstrated at Pwn2Own Berlin 2026), CVE-2026-56164 (auth bypass, CISA KEV), CVE-2026-55040 (security feature bypass, CVSS 9.1)
CVE-2026-58644 is one of a pair of deserialization RCE flaws patched in this batch — its twin, CVE-2026-50522, was demonstrated with a working exploit at Pwn2Own Berlin 2026. While CVE-2026-58644 itself has no confirmed in-the-wild exploitation yet, the "Exploitation More Likely" rating and the existence of a proven exploit for its sibling mean defenders should treat this as imminent.
A Cluster of Four Critical SharePoint Flaws
The July 14 patch batch addresses four critical SharePoint Server vulnerabilities that compound each other's risk:
- • CVE-2026-56164 — Missing authentication, privilege escalation. Actively exploited, CISA KEV listed.
- • CVE-2026-58644 — Deserialization RCE, CVSS 9.8. Unauthenticated. (This advisory)
- • CVE-2026-50522 — Deserialization RCE, CVSS 9.8. Unauthenticated. Pwn2Own Berlin 2026 demo.
- • CVE-2026-55040 — Security feature bypass, CVSS 9.1. First half of a two-vulnerability chain leading to unauthenticated RCE (second vulnerability embargoed until August 2026).
All four are fixed by the same cumulative KB updates. A single patch pass covers every vulnerability in this cluster.
Only On-Premises Deployments Affected
SharePoint Online (part of Microsoft 365) is not affected — only on-premises SharePoint Server deployments are vulnerable. Organizations running hybrid configurations should verify the on-premises component is patched.
Investigation Workflow
This vulnerability requires no authentication and is exploitable over the network. Any reachable SharePoint Server instance is a potential target. The detection workflow is identical to CVE-2026-56164 — the same build numbers determine vulnerability status for both.
1. Port Scan: Find SharePoint Instances
SharePoint Server runs on IIS and exposes web services on standard HTTP/HTTPS ports:
- • 443 — HTTPS (primary web application port)
- • 80 — HTTP (some deployments, often redirects to 443)
- • 2013 — SharePoint Central Administration (alternate port)
- • 32843/32844 — SharePoint service application endpoints
2. TLS Inspect: Identify SharePoint Certificates
Pull the TLS certificate on port 443. Look for:
- • Subject CN or SAN containing sharepoint, sp, or intranet domain names
- • Issuer from an internal Active Directory Certificate Services CA
- • Wildcard certificates covering internal domains
3. HTTP Headers: Fingerprint SharePoint and Check Patch Level
SharePoint Server returns distinctive HTTP response headers:
- • MicrosoftSharePointTeamServices — exact build number (e.g., 16.0.19725.20434). Compare against patched versions to determine vulnerability
- • X-SharePointHealthScore — numeric value (0–10), unique to SharePoint
- • SPRequestGuid — GUID present in SharePoint responses
- • Response body containing _layouts/15/ or _api/web
Patched build numbers: 16.0.19725.20434 (Subscription Edition), 16.0.10417.20175 (2019), 16.0.5561.1001 (2016). Builds below these are vulnerable to both this CVE and CVE-2026-56164.
4. DNS: Discover SharePoint Infrastructure
Query internal DNS for common SharePoint naming patterns: sharepoint.*, sp.*, intranet.*, portal.*, teams.*, collab.*, mysites.*. SharePoint farms often span multiple web applications with separate DNS entries.
5. CVE Lookup: Track the Full Cluster
Look up all four CVEs in this cluster: CVE-2026-58644, CVE-2026-50522, CVE-2026-56164, and CVE-2026-55040. All four are patched by the same July 14 KBs. Monitor for CVE-2026-55040's chained vulnerability, expected in August 2026, which may create a new unauthenticated RCE path if the July patches are not installed.
Cross-Reference with External Data
- SHODAN: Search http.headers:"MicrosoftSharePointTeamServices" to find internet-exposed SharePoint instances
- CVE LOOKUP: Track CVE-2026-58644, CVE-2026-50522, CVE-2026-56164, CVE-2026-55040 for scoring updates
- CISA KEV: CVE-2026-56164 listed July 14, 2026 — same patch covers this CVE
- MSRC: Microsoft Security Update Guide
Remediation
- Patch immediately. Install the July 14 security updates: KB5002882 (Subscription Edition), KB5002883 + KB5002885 (SharePoint 2019), KB5002891 + KB5002892 (SharePoint 2016). These cumulative updates fix all four critical SharePoint vulnerabilities in this cluster.
- Verify the installed build number. Check the MicrosoftSharePointTeamServices HTTP header or run (Get-SPFarm).BuildVersion in SharePoint Management Shell. Confirm builds meet or exceed: 16.0.19725.20434 (SE), 16.0.10417.20175 (2019), 16.0.5561.1001 (2016).
- Harden SharePoint Server. Enable AMSI (Antimalware Scan Interface) integration and set Request Body Scan mode to Full (Subscription Edition) for defense-in-depth POST payload detection.
- Restrict network exposure. SharePoint farms that do not need internet-facing access should be behind a reverse proxy or VPN. Unauthenticated deserialization RCE makes any network-reachable instance a target.
- Monitor for the August disclosure. CVE-2026-55040 is the first half of a two-vulnerability chain — the second vulnerability is embargoed until August 2026 per Rapid7. Ensure July patches are installed before that disclosure.
- Plan migration for SharePoint 2016/2019. July 14 is the final security update for these versions. Future vulnerabilities will go unpatched — migrate to Subscription Edition or SharePoint Online.
Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.
Follow @hellorecon for new CVE investigations.
Sources
- → Microsoft Security Update Guide: CVE-2026-58644
- → NVD: CVE-2026-58644
- → ZDI: July 2026 Security Update Review
- → Rapid7: Patch Tuesday July 2026
- → KB5002882 — SharePoint Server Subscription Edition
- → KB5002883 — SharePoint Server 2019
- → KB5002891 — SharePoint Enterprise Server 2016