RECONINTEL
◄ ALL POSTS
JULY 15, 2026CVSS 9.8 · CRITICAL · EXPLOITATION MORE LIKELY5 MIN READ

CVE-2026-58644: SharePoint Server Unauthenticated Deserialization RCE (July 2026 Patch Tuesday) — Find Vulnerable Instances

Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability that lets unauthenticated attackers execute arbitrary code over the network. CVSS 9.8 Critical, rated "Exploitation More Likely" by Microsoft. Part of a cluster of four critical SharePoint vulnerabilities patched on July 14, 2026 — including one already exploited in the wild and another demonstrated at Pwn2Own Berlin 2026. The same patches also address CVE-2026-56164, which is CISA KEV listed.

The Vulnerability

CVE-2026-58644 (CWE-502: Deserialization of Untrusted Data) is a remote code execution vulnerability in Microsoft SharePoint Server. An unauthenticated attacker can send a crafted request that triggers unsafe deserialization, executing arbitrary code on the server. The attack requires no authentication (PR:N), no user interaction, and has low complexity.

  • CVSS: 9.8 Critical (Microsoft v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — MSRC Advisory
  • CWE: CWE-502 (Deserialization of Untrusted Data)
  • AFFECTED: SharePoint Server Subscription Edition (below 16.0.19725.20434), SharePoint Server 2019 (below 16.0.10417.20175), SharePoint Enterprise Server 2016 (below 16.0.5561.1001)
  • FIXED: KB5002882 (Subscription Edition), KB5002883/KB5002885 (2019), KB5002891/KB5002892 (2016) — released July 14, 2026
  • EXPLOITED: Not yet confirmed in the wild — Microsoft rates "Exploitation More Likely"
  • RELATED: CVE-2026-50522 (RCE, CVSS 9.8 — demonstrated at Pwn2Own Berlin 2026), CVE-2026-56164 (auth bypass, CISA KEV), CVE-2026-55040 (security feature bypass, CVSS 9.1)

CVE-2026-58644 is one of a pair of deserialization RCE flaws patched in this batch — its twin, CVE-2026-50522, was demonstrated with a working exploit at Pwn2Own Berlin 2026. While CVE-2026-58644 itself has no confirmed in-the-wild exploitation yet, the "Exploitation More Likely" rating and the existence of a proven exploit for its sibling mean defenders should treat this as imminent.

A Cluster of Four Critical SharePoint Flaws

The July 14 patch batch addresses four critical SharePoint Server vulnerabilities that compound each other's risk:

  • CVE-2026-56164 — Missing authentication, privilege escalation. Actively exploited, CISA KEV listed.
  • CVE-2026-58644 — Deserialization RCE, CVSS 9.8. Unauthenticated. (This advisory)
  • CVE-2026-50522 — Deserialization RCE, CVSS 9.8. Unauthenticated. Pwn2Own Berlin 2026 demo.
  • CVE-2026-55040 — Security feature bypass, CVSS 9.1. First half of a two-vulnerability chain leading to unauthenticated RCE (second vulnerability embargoed until August 2026).

All four are fixed by the same cumulative KB updates. A single patch pass covers every vulnerability in this cluster.

Only On-Premises Deployments Affected

SharePoint Online (part of Microsoft 365) is not affected — only on-premises SharePoint Server deployments are vulnerable. Organizations running hybrid configurations should verify the on-premises component is patched.

Investigation Workflow

This vulnerability requires no authentication and is exploitable over the network. Any reachable SharePoint Server instance is a potential target. The detection workflow is identical to CVE-2026-56164 — the same build numbers determine vulnerability status for both.

1. Port Scan: Find SharePoint Instances

SharePoint Server runs on IIS and exposes web services on standard HTTP/HTTPS ports:

  • 443 — HTTPS (primary web application port)
  • 80 — HTTP (some deployments, often redirects to 443)
  • 2013 — SharePoint Central Administration (alternate port)
  • 32843/32844 — SharePoint service application endpoints

2. TLS Inspect: Identify SharePoint Certificates

Pull the TLS certificate on port 443. Look for:

  • • Subject CN or SAN containing sharepoint, sp, or intranet domain names
  • • Issuer from an internal Active Directory Certificate Services CA
  • • Wildcard certificates covering internal domains

3. HTTP Headers: Fingerprint SharePoint and Check Patch Level

SharePoint Server returns distinctive HTTP response headers:

  • MicrosoftSharePointTeamServices — exact build number (e.g., 16.0.19725.20434). Compare against patched versions to determine vulnerability
  • X-SharePointHealthScore — numeric value (0–10), unique to SharePoint
  • SPRequestGuid — GUID present in SharePoint responses
  • • Response body containing _layouts/15/ or _api/web

Patched build numbers: 16.0.19725.20434 (Subscription Edition), 16.0.10417.20175 (2019), 16.0.5561.1001 (2016). Builds below these are vulnerable to both this CVE and CVE-2026-56164.

4. DNS: Discover SharePoint Infrastructure

Query internal DNS for common SharePoint naming patterns: sharepoint.*, sp.*, intranet.*, portal.*, teams.*, collab.*, mysites.*. SharePoint farms often span multiple web applications with separate DNS entries.

5. CVE Lookup: Track the Full Cluster

Look up all four CVEs in this cluster: CVE-2026-58644, CVE-2026-50522, CVE-2026-56164, and CVE-2026-55040. All four are patched by the same July 14 KBs. Monitor for CVE-2026-55040's chained vulnerability, expected in August 2026, which may create a new unauthenticated RCE path if the July patches are not installed.

Cross-Reference with External Data

  • SHODAN: Search http.headers:"MicrosoftSharePointTeamServices" to find internet-exposed SharePoint instances
  • CVE LOOKUP: Track CVE-2026-58644, CVE-2026-50522, CVE-2026-56164, CVE-2026-55040 for scoring updates
  • CISA KEV: CVE-2026-56164 listed July 14, 2026 — same patch covers this CVE
  • MSRC: Microsoft Security Update Guide

Remediation

  1. Patch immediately. Install the July 14 security updates: KB5002882 (Subscription Edition), KB5002883 + KB5002885 (SharePoint 2019), KB5002891 + KB5002892 (SharePoint 2016). These cumulative updates fix all four critical SharePoint vulnerabilities in this cluster.
  2. Verify the installed build number. Check the MicrosoftSharePointTeamServices HTTP header or run (Get-SPFarm).BuildVersion in SharePoint Management Shell. Confirm builds meet or exceed: 16.0.19725.20434 (SE), 16.0.10417.20175 (2019), 16.0.5561.1001 (2016).
  3. Harden SharePoint Server. Enable AMSI (Antimalware Scan Interface) integration and set Request Body Scan mode to Full (Subscription Edition) for defense-in-depth POST payload detection.
  4. Restrict network exposure. SharePoint farms that do not need internet-facing access should be behind a reverse proxy or VPN. Unauthenticated deserialization RCE makes any network-reachable instance a target.
  5. Monitor for the August disclosure. CVE-2026-55040 is the first half of a two-vulnerability chain — the second vulnerability is embargoed until August 2026 per Rapid7. Ensure July patches are installed before that disclosure.
  6. Plan migration for SharePoint 2016/2019. July 14 is the final security update for these versions. Future vulnerabilities will go unpatched — migrate to Subscription Edition or SharePoint Online.

Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.

Follow @hellorecon for new CVE investigations.

Sources

By Vladimir Slavin · Founder, RECON · [email protected]