Rapid7
Vulnerabilities and Exploits

CVE-2026-58644: Microsoft SharePoint Server Unauthenticated Remote Code Execution Vulnerability Exploited in the Wild

|Last updated on Jul 17, 2026|2 min read
CVE-2026-58644: Microsoft SharePoint Server Unauthenticated Remote Code Execution Vulnerability Exploited in the Wild

Overview

On July 14, 2026, Microsoft published a security advisory addressing CVE-2026-58644, a critical remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server deployments. The vulnerability, which carries a CVSS v3.1 score of 9.8 (Critical), results from the deserialization of untrusted data (CWE-502) and allows an unauthenticated attacker to execute arbitrary code.

Microsoft confirmed active exploitation of CVE-2026-58644, and the vulnerability was subsequently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 16, 2026. In parallel, CISA published guidance recommending organizations immediately apply Microsoft’s security updates and leverage Microsoft Defender and AMSI detections to identify exploitation attempts.

Affected products:

  • Microsoft SharePoint Enterprise Server 2016

  • Microsoft SharePoint Server 2019

  • Microsoft SharePoint Server Subscription Edition

Mitigation guidance

Organizations operating affected on-premises Microsoft SharePoint Server should prioritize remediation on an emergency basis.

Microsoft’s recommendations:

  • Apply the July 14, 2026 security updates for all affected SharePoint versions.

  • Verify that security updates completed successfully across all SharePoint servers.

  • Ensure Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application.

  • Monitor Microsoft Defender and AMSI detections for indicators of attempted exploitation.

  • Initiate incident response procedures if exploitation artifacts are detected.

Microsoft and CISA recommend monitoring for the following security detections associated with observed SharePoint exploitation activity.

AMSI / Microsoft Defender detections:

  • Exploit:Script/SuspSignoutReqBody.A

  • Request body scanning

  • SharePoint Server Subscription Edition

  • Microsoft reports observed exploitation attempts are blocked by this signature.

  • Exploit:Script/ToolPaneAuthBypass.A

  • Request header scanning

  • Applies to SharePoint Server 2016, SharePoint Server 2019, and Subscription Edition.

  • Exploit:Script/ToolPaneAuthBypass

At the time of publication, no public IP addresses, domains, URLs, or additional network-based indicators of compromise have been widely disclosed.

Administrators should consult Microsoft’s advisory for the most current remediation guidance and update availability.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-58644 with an authenticated vulnerability check available since the July 14 content release.

Updates

  • July 17, 2026: Initial publication.
LinkedInFacebookXBluesky