Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-58644

Microsoft SharePoint deserialization of untrusted data (unauth RCE)

A critical unauthenticated deserialization RCE in on-prem Microsoft Office SharePoint (CVE-2026-58644, CVSS 9.8). Patched July 14 in Microsoft's July 2026 updates; added to CISA KEV on July 16.

cat cve-2026-58644.json
Vendor
Microsoft
Product
SharePoint Server 2016 / 2019 / Subscription Edition
CVSS
9.8
EPSS (exploit probability)
N/A
Status
kev
Published

CVE-2026-58644 is a CWE-502 deserialization-of-untrusted-data vulnerability in on-premises Microsoft Office SharePoint that lets an unauthenticated attacker execute code over a network. CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Microsoft published the fix on 2026-07-14 in its July 2026 security updates; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-07-16, starting a federal-civilian remediation clock under BOD 26-04.

Affected builds

Per NVD — patched versions, apply at or above:

  • SharePoint Server Subscription Edition (x64) — 16.0.19725.20384
  • SharePoint Server 2019 (x64) — 16.0.10417.20153
  • SharePoint Enterprise Server 2016 (x64) — 16.0.5556.1005

Anything below those build numbers is exposed. Microsoft’s authoritative reference is the MSRC advisory for CVE-2026-58644.

What to do

Apply the July 2026 SharePoint update if you haven’t already; the fix has been out for two days. If your farm is Internet-exposed and was unpatched between July 14 and now, treat it as possible-compromise rather than routine patching — the same IIS machineKey theft and web-shell drop patterns CISA called out on the three earlier SharePoint KEV entries this week apply to this class of bug too. Roll the machine keys, review sign-in logs, and look for web shells in the SharePoint LAYOUTS directory before calling the incident closed.