Back to Intelligence

CVE-2026-58644: Microsoft SharePoint Server Unauthenticated RCE — Detection and Defense

SA
Security Arsenal Team
July 19, 2026
6 min read

A critical security vulnerability, CVE-2026-58644, has been identified in Microsoft SharePoint Server. This unauthenticated remote code execution (RCE) flaw is currently being exploited in the wild, posing an immediate and severe threat to enterprises leveraging SharePoint for collaboration and document management.

As this vulnerability requires no authentication, attackers can leverage it to gain complete control over susceptible servers simply by sending a specially crafted network request. Given the widespread use of SharePoint in corporate environments and the high value of the data stored within, security teams must treat this as a critical incident. Immediate patching and network segmentation are required to defend against active scanning and exploitation campaigns.

Technical Analysis

Affected Products:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server 2016 (Note: Refer to the official Microsoft advisory for the specific specific Update Rollup and Cumulative Update versions required.)

Vulnerability Details:

  • CVE ID: CVE-2026-58644
  • CVSS Score: 9.8 (Critical)
  • Vector: Network (N)
  • Complexity: Low (L)
  • Privileges Required: None (N)
  • User Interaction: None (N)

Mechanism of Exploitation: The vulnerability exists in how Microsoft SharePoint Server handles specific serialized objects within incoming HTTP requests. An attacker can send a malicious packet to a vulnerable SharePoint endpoint—often related to the web application's API or file parsing components—triggering a deserialization failure that corrupts the memory state.

By carefully crafting the payload, the attacker can control the execution flow, resulting in remote code execution with the privileges of the SharePoint application pool (typically SYSTEM or a highly privileged service account). The attack chain is as follows:

  1. Reconnaissance: Attacker scans TCP port 443 (HTTPS) identifying SharePoint servers.
  2. Exploitation: Attacker sends a malicious POST request to the vulnerable endpoint.
  3. Execution: The server deserializes the payload, executing shellcode or loading a malicious DLL.
  4. Persistence: The attacker installs a web shell or establishes a reverse shell to the server for lateral movement.

Exploitation Status: Active exploitation has been confirmed in the wild. Threat actors are leveraging this vulnerability to deploy web shells and ransomware payloads rapidly following initial access.

Detection & Response

SIGMA Rules

YAML
---
title: SharePoint Unauthenticated RCE CVE-2026-58644 - w3wp.exe Spawning Shell
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential exploitation of CVE-2026-58644 by identifying the SharePoint worker process spawning a command shell or PowerShell.
references:
  - https://securityarsenal.com/blog/cve-2026-58644
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.execution
  - attack.t1059.001
  - cve.2026.58644
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter_legit:
    # Optional: Filter out known maintenance tasks if necessary, but default to alert on all w3wp spawns
    CommandLine|contains: 'authorized_script_path' 
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative debugging (rare for w3wp)
level: critical
---
title: SharePoint Suspicious Child Process - Network Tooling
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects w3wp.exe spawning network utilities often used for reverse shells or data exfiltration post-exploitation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
      - '\certutil.exe'
  condition: selection
falsepositives:
  - Unknown
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for SharePoint worker process spawning suspicious shells
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious processes spawned by the SharePoint Worker Process
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name =~ 'w3wp.exe'
  AND Name IN ('cmd.exe', 'powershell.exe', 'pwsh.exe', 'bash.exe')

Remediation Script (PowerShell)

PowerShell
# CVE-2026-58644 Remediation & Verification Script
# Run as Administrator on the SharePoint Server

Write-Host "Checking SharePoint Build Version for CVE-2026-58644..." -ForegroundColor Cyan

# Get the SharePoint Build Version via the registry
$sharePointRegistryPath = "HKLM:\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions"
if (Test-Path $sharePointRegistryPath) {
    # Iterate through installed versions
    $versions = Get-ChildItem $sharePointRegistryPath
    foreach ($version in $versions) {
        $versionNumber = $version.PSChildName
        $buildPath = Join-Path $version.PSPath "BuildVersion"
        if (Test-Path $buildPath) {
            $currentBuild = (Get-ItemProperty $buildPath)."(default)"
            Write-Host "Found SharePoint Version: $versionNumber - Build: $currentBuild" -ForegroundColor Yellow
            
            # Compare against known patched versions (Placeholder - replace with actual KB targets)
            $patchedBuild = "16.0.17000.00000" 
            if ([version]$currentBuild -lt [version]$patchedBuild) {
                Write-Host "[ALERT] System is vulnerable to CVE-2026-58644. Current build $currentBuild is below patched baseline $patchedBuild." -ForegroundColor Red
            } else {
                Write-Host "[OK] System appears patched against CVE-2026-58644." -ForegroundColor Green
            }
        }
    }
} else {
    Write-Host "SharePoint Registry keys not found. Is SharePoint installed on this server?" -ForegroundColor Red
}

# Check for suspicious w3wp.exe child processes (Immediate IOC Check)
Write-Host "\nChecking for active exploitation indicators (w3wp spawning shells)..." -ForegroundColor Cyan
$suspiciousProcesses = Get-CimInstance Win32_Process | Where-Object { 
    $_.ParentProcessId -ne 0 -and 
    (Get-Process -Id $_.ParentProcessId -ErrorAction SilentlyContinue).ProcessName -eq 'w3wp' -and 
    $_.Name -in ('cmd.exe', 'powershell.exe', 'pwsh.exe')
}

if ($suspiciousProcesses) {
    Write-Host "[CRITICAL] Suspicious activity detected! w3wp.exe is spawning shells:" -ForegroundColor Red
    $suspiciousProcesses | Format-Table Name, ProcessId, ParentProcessId, CommandLine -AutoSize
} else {
    Write-Host "[OK] No immediate shell spawning activity detected from w3wp.exe." -ForegroundColor Green
}

Remediation

Immediate Actions:

  1. Patch Immediately: Apply the latest Cumulative Update (CU) or Security Update for your version of SharePoint Server referenced in the official Microsoft Security Advisory for CVE-2026-58644. Rebooting the server is required.
  2. Network Controls: If immediate patching is not possible, restrict access to SharePoint servers from the internet. Enforce strict VPN requirements or utilize a Zero Trust Network Access (ZTNA) solution to limit exposure.
  3. Inspect Logs: Review IIS logs (%SystemDrive%\inetpub\logs\LogFiles) for the past 30 days for anomalous POST requests or 500 server errors indicative of exploitation attempts.

Vendor Resources:

CISA KEV Status: Given the active exploitation, this vulnerability is expected to be added to the CISA Known Exploited Vulnerabilities (KEV) Catalog shortly. Federal agencies should adhere to the emergency directive deadlines (typically within 48 hours for edge devices).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

criticalzero-daycvepatch-tuesdayexploitvulnerability-disclosuremicrosoftsharepointcve-2026-58644rce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.