Overview
On July 14, 2026, Microsoft published a security advisory addressing CVE-2026-58644, a critical remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server deployments. The vulnerability, which carries a CVSS v3.1 score of 9.8 (Critical), results from the deserialization of untrusted data (CWE-502) and allows an unauthenticated attacker to execute arbitrary code.
Microsoft confirmed active exploitation of CVE-2026-58644, and the vulnerability was subsequently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 16, 2026. In parallel, CISA published guidance recommending organizations immediately apply Microsoft’s security updates and leverage Microsoft Defender and AMSI detections to identify exploitation attempts.
Affected products:
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Mitigation guidance
Organizations operating affected on-premises Microsoft SharePoint Server should prioritize remediation on an emergency basis.
Microsoft’s recommendations:
Apply the July 14, 2026 security updates for all affected SharePoint versions.
Verify that security updates completed successfully across all SharePoint servers.
Ensure Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application.
Monitor Microsoft Defender and AMSI detections for indicators of attempted exploitation.
Initiate incident response procedures if exploitation artifacts are detected.
Microsoft and CISA recommend monitoring for the following security detections associated with observed SharePoint exploitation activity.
AMSI / Microsoft Defender detections:
Exploit:Script/SuspSignoutReqBody.A
Request body scanning
SharePoint Server Subscription Edition
Microsoft reports observed exploitation attempts are blocked by this signature.
Exploit:Script/ToolPaneAuthBypass.A
Request header scanning
Applies to SharePoint Server 2016, SharePoint Server 2019, and Subscription Edition.
Exploit:Script/ToolPaneAuthBypass
At the time of publication, no public IP addresses, domains, URLs, or additional network-based indicators of compromise have been widely disclosed.
Administrators should consult Microsoft’s advisory for the most current remediation guidance and update availability.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-58644 with an authenticated vulnerability check available since the July 14 content release.
Updates
- July 17, 2026: Initial publication.

