Rapid7 Publishes Deep-Dive on Exploited SharePoint CVE-2026-58644

Rapid7 goes deep on the SharePoint CVSS-9.8 RCE — defender-team detection-engineering review this weekend.

Share
Editorial illustration of a magnifying glass over a cracked shared-document portal, marking Rapid7's deep-dive on the exploited SharePoint flaw CVE-2026-58644.

Key Takeaways

  • On July 17, 2026, Rapid7 published an Emergent Threat Response deep-dive on CVE-2026-58644, a critical remote code execution vulnerability affecting on-premises Microsoft SharePoint Server deployments, confirming a CVSS v3.1 score of 9.8 (Critical) and a root cause of deserialization of untrusted data (CWE-502).
  • Rapid7 states that Microsoft confirmed active exploitation of the flaw, that Microsoft's advisory was originally published on July 14, 2026, and that CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities catalog on July 16, 2026 — the KEV listing The CyberSignal covered separately.
  • The write-up's operative defender content is a consolidated remediation and detection list: apply the July 14 updates across every affected on-premises SharePoint version, verify the updates completed, ensure Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application, and monitor the named Microsoft Defender and AMSI signatures for attempted exploitation.

A vendor deep-dive turns a KEV entry into a working checklist: named detections, an explicit verification step, and confirmation that no network-based indicators have yet been disclosed.

BOSTON, MASS. — Rapid7 published a deep-dive analysis of CVE-2026-58644 on July 17, 2026, describing the flaw as a critical remote code execution vulnerability affecting on-premises Microsoft SharePoint Server deployments that carries a CVSS v3.1 score of 9.8 (Critical) and results from the deserialization of untrusted data (CWE-502). According to Rapid7, Microsoft published the original security advisory on July 14, 2026, has confirmed active exploitation, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog two days later on July 16.

The value of the write-up for defenders is not new severity information — the 9.8 rating and the KEV listing were already public. It is that Rapid7's Emergent Threat Response post consolidates the vendor guidance, the affected product list, and the specific Microsoft Defender and AMSI detection names into a single reference a security team can work from this weekend. It also records what is absent: at the time of publication, Rapid7 reports that no public IP addresses, domains, URLs, or additional network-based indicators of compromise have been widely disclosed.

At a Glance
FieldDetails
VulnerabilityCVE-2026-58644 — Microsoft SharePoint Server remote code execution
SeverityCVSS v3.1 9.8 (Critical), per Rapid7
Weakness classDeserialization of untrusted data (CWE-502), per Rapid7
ScopeOn-premises Microsoft SharePoint Server deployments (distinct from SharePoint Online)
Affected productsSharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition
Vendor advisoryMicrosoft published the advisory July 14, 2026, per Rapid7
ExploitationMicrosoft confirmed active exploitation, per Rapid7
KEV statusAdded to CISA's Known Exploited Vulnerabilities catalog July 16, 2026
Deep-dive publishedRapid7, July 17, 2026 (Emergent Threat Response)
Network IOCsNone widely disclosed at time of Rapid7's publication

What Rapid7 Documented

Rapid7's post opens with the technical identity of the vulnerability. CVE-2026-58644 affects on-premises Microsoft SharePoint Server, carries a CVSS v3.1 score of 9.8 (Critical), and results from the deserialization of untrusted data, catalogued as CWE-502. Rapid7 notes that Microsoft's original security advisory was published on July 14, 2026, that Microsoft has confirmed active exploitation, and that the vulnerability was subsequently added to CISA's KEV catalog on July 16. The CyberSignal is not reconstructing how the flaw is reached or triggered; the classification and the confirmed-exploitation status are the operative facts for a defender.

The affected product list is the part most likely to change a team's scoping. Rapid7 names Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition — the full set of supported on-premises editions. That matters because the boundary here is deployment model, not product family: this is an on-premises SharePoint Server issue, distinct from SharePoint Online, and an organization that has migrated most of its collaboration workload to the cloud may still be running a legacy on-premises farm that falls squarely inside scope.

Rapid7 also points to parallel guidance from CISA, which published an alert urging SharePoint hardening and recommending that organizations immediately apply Microsoft's security updates and use Microsoft Defender and AMSI detections to identify exploitation attempts. The two sets of guidance converge rather than diverge, which is useful: a defender reading both is not being asked to reconcile competing advice, only to execute a single list.

Continuation Context: The SharePoint Server Thread

This deep-dive is the fourth entry in a SharePoint sequence The CyberSignal has been tracking. It follows directly from CISA's addition of CVE-2026-58644 to the KEV catalog with a July 19 remediation deadline, which set the federal clock under Binding Operational Directive 26-04. Before that came CISA's warning about multiple actively exploited on-premises SharePoint flaws, and earlier still a critical JWT authentication-bypass weakness tracked as CVE-2026-55040.

The deserialization framing also has a direct precedent in the same product line: The CyberSignal previously covered a SharePoint Server deserialization RCE tracked as CVE-2026-45659. Read as a sequence, these entries describe a platform whose on-premises deployments have drawn repeated exploitation reporting over a short window. Rapid7's post does not assert that CVE-2026-58644 is related to any of those earlier issues, and neither does The CyberSignal — the recurrence is a pattern in the reporting, not an established technical linkage.

What the continuity does justify is a change in posture. A team that treated the first SharePoint advisory as a one-off maintenance item and the second as an unlucky coincidence should, by the fourth, be treating on-premises SharePoint as a system under sustained attention that warrants standing verification rather than episodic patching. That conclusion does not require knowing whether the flaws share a root cause.

Defender Posture for On-Premises SharePoint Server Customers

Rapid7's mitigation guidance is explicit that organizations running affected on-premises Microsoft SharePoint Server should prioritize remediation on an emergency basis. Relaying Microsoft's recommendations, the post lists five actions: apply the July 14, 2026 security updates for all affected SharePoint versions; verify that the security updates completed successfully across all SharePoint servers; ensure Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application; monitor Microsoft Defender and AMSI detections for indicators of attempted exploitation; and initiate incident response procedures if exploitation artifacts are detected. This is textbook patch management discipline applied under a compressed clock.

The second item on that list deserves more weight than it usually gets. Microsoft is not simply saying "patch" — it is separately instructing administrators to confirm that the update completed successfully on every SharePoint server. That is an acknowledgement that partially applied or silently failed updates are a real failure mode on SharePoint farms, where multi-server topologies, staged deployments, and servers outside centralized management routinely leave a residue of unpatched instances behind an otherwise green dashboard.

The AMSI item is the one most likely to be missing in practice. AMSI integration is a per-web-application setting, so an environment can have it enabled on some SharePoint web applications and not others, with no obvious symptom until it is needed. For teams building this into a broader programme, it maps cleanly onto standing vulnerability management practice: enumerate the affected estate, confirm the control is present on each unit, and record the exceptions rather than assuming uniformity.

Rapid7 additionally notes that Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-58644 with an authenticated vulnerability check that has been available since the July 14 content release. That is vendor-specific, but the general point transfers: authenticated scanning is what distinguishes "we believe this is patched" from "we have confirmed the fixed build is running here," and on an internet-reachable application server that distinction is the whole exercise.

Detection-Engineering Review for CWE-502 Deserialization Patterns

The most immediately usable content in Rapid7's post is the set of named detections that Microsoft and CISA recommend monitoring for observed SharePoint exploitation activity. Rapid7 lists three AMSI and Microsoft Defender signatures: Exploit:Script/SuspSignoutReqBody.A, which operates via request body scanning against SharePoint Server Subscription Edition and which Microsoft reports blocks observed exploitation attempts; Exploit:Script/ToolPaneAuthBypass.A, which operates via request header scanning and applies to SharePoint Server 2016, SharePoint Server 2019, and Subscription Edition; and Exploit:Script/ToolPaneAuthBypass.

For a detection-engineering review, the practical questions are ordered. First, are those signatures actually firing into a place anyone reads — meaning, is Defender telemetry from the SharePoint servers reaching the SIEM or MDR queue, or does it terminate on the host? Second, is AMSI integration enabled on every SharePoint web application, without which the request-body and request-header scanning those signatures depend on has nothing to inspect? Third, is there an alert rule with a real routing path attached to these specific detection names, rather than a generic malware-detection rule that lands in a low-priority bucket?

The deserialization classification is worth holding onto as a triage heuristic rather than a technical detail. CWE-502 issues in enterprise application servers have a consistent operational profile — they tend to be reachable over the same channels the application already exposes, which means the surrounding controls that matter are the ones inspecting normal application traffic rather than perimeter network rules. That is precisely why the vendor guidance here centres on AMSI and endpoint detection rather than on firewall changes or network indicators.

Rapid7's note that no public IP addresses, domains, URLs, or additional network-based indicators had been widely disclosed at publication should therefore be read as a scoping fact, not a gap. A team that spends the weekend hunting for network IOCs will find nothing to hunt with; the same hours spent confirming patch state, AMSI coverage, and detection routing address the exposure directly. If network indicators do surface later, retrospective hunting becomes possible — but it is not the available work today.

Open Questions

Several things remain unestablished. No threat actor has been publicly named in connection with the exploitation of CVE-2026-58644, and Rapid7's post does not attribute the activity to any group. No victim organizations have been named. The total number of affected on-premises SharePoint deployments — and the scale of exploitation beyond Microsoft's confirmation that it is occurring — is not established in the available reporting.

It also remains unconfirmed whether CVE-2026-58644 is among the three exploited SharePoint flaws CISA flagged in its earlier warning about on-premises SharePoint, or a distinct issue that surfaced in the same window. Rapid7 places the vulnerability alongside CISA's July 14 hardening guidance without resolving that relationship, and The CyberSignal is treating the connection as plausible rather than established.

One point of variance is worth flagging for readers following the thread. Rapid7 describes CVE-2026-58644 as allowing an unauthenticated attacker to execute arbitrary code, and titles its post accordingly. Some earlier reporting on the KEV addition characterised the required access differently. The CyberSignal is following Rapid7's description here because it is the more recent account and is anchored directly to Microsoft's advisory, while noting that the privilege precondition is one of the details most likely to be clarified as the vendor record settles.


The CyberSignal Analysis

The facts above come from Rapid7's July 17 deep-dive and the vendor and agency guidance it cites; what follows is The CyberSignal's editorial reading of what defenders should take from it. None of the judgments below are new reported facts.

Signal 01 — The Deep-Dive's Value Is the Checklist, Not the Severity

The reflex on a vendor deep-dive is to look for something the KEV entry did not already say about how bad the flaw is. Our reading is that the severity was never the missing piece — a CVSS 9.8 on a KEV-listed, actively exploited server product was already unambiguous. What Rapid7 adds is executability: a named affected-product list, a five-step remediation sequence, three specific detection signature names, and an explicit statement about which indicators do not yet exist.

That is the shape of vendor research that actually changes outcomes. A defender who reads the KEV entry knows to act; a defender who reads this post knows what to do, in what order, and how to tell whether it worked. Teams evaluating which vendor advisories to route into their emergency-response process should weight that distinction — the useful ones convert urgency into tasks.

Signal 02 — "Verify the Update Completed" Is the Instruction Most Likely to Be Skipped

Microsoft listing update verification as its own separate step, distinct from applying the update, is not boilerplate. Our assessment is that it is the single highest-value line in the guidance, because it targets the specific failure mode that turns a patched estate into a breached one: the server that reported success, or was never enumerated, or sits outside the management tool that generated the compliance number.

On-premises SharePoint is unusually exposed to this. Farms accrete over years, test and staging instances outlive their purpose, and multi-server topologies make partial application plausible in a way that a single-host application does not. The teams that will come out of this cleanly are the ones that can answer "is the fixed build running on this specific server?" for every instance — not the ones that can show a deployment percentage.

Signal 03 — Four SharePoint Entries in Weeks Is the Pattern Worth Acting On

The individual CVE is the narrow story. The broader one is cadence: a JWT authentication-bypass flaw, a CISA warning about multiple exploited on-premises flaws, an earlier deserialization RCE, and now a KEV-listed critical RCE with a vendor deep-dive attached. Our view is that when one product line keeps appearing in the exploited-in-the-wild column, the disciplined response is to stop processing each entry as a discrete surprise and start treating the platform as a standing priority.

Concretely, that means an on-premises SharePoint estate should be on the short list of systems with named owners, current inventory, verified detection coverage, and a pre-agreed emergency patch path — before the next advisory rather than after it. The forward-looking watch item is whether this cadence continues; if a fifth SharePoint entry lands in the same window, the case for accelerating migration off unsupported or under-managed on-premises farms stops being a budget argument and becomes a risk one.


Sources

TypeSource
PrimaryRapid7 — CVE-2026-58644: Microsoft SharePoint Server Unauthenticated Remote Code Execution Vulnerability Exploited in the Wild
PrimaryMicrosoft Security Response Center — CVE-2026-58644 Advisory
PrimaryCISA — Urges SharePoint Hardening After New Exploitations
BackgroundMITRE — CWE-502: Deserialization of Untrusted Data
RelatedThe CyberSignal — CISA Adds SharePoint RCE CVE-2026-58644 to KEV With July 19 Deadline
RelatedThe CyberSignal — CISA Warns of Exploited On-Premises SharePoint Flaws
RelatedThe CyberSignal — Microsoft SharePoint CVE-2026-55040 JWT Auth Bypass
RelatedThe CyberSignal — Microsoft SharePoint CVE-2026-45659 Deserialization RCE