External risk intelligence

SharePoint Deserialization Vulnerability Allows Remote Code Execution

CVE advisoryKnown Exploit

CVE-2026-58644

Microsoft SharePoint is a widely deployed enterprise collaboration platform that is frequently configured as an internet-facing web application, portal, or gateway to facilitate remote access for employees and external partners.

Deserialization

Microsoft Sharepoint Server

before 16.0.19725.2043420162019

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Microsoft Office SharePoint could allow an unauthorized attacker to execute code remotely. This means an attacker could potentially take control of affected systems without any user interaction. The main concern is confirming relevance and exposure to your environment.

  • Untrusted data can lead to remote code execution.
  • Affects widely deployed enterprise collaboration systems.
  • Confirm relevance and exposure for SharePoint.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data over a network to a vulnerable SharePoint instance. This could allow them to execute arbitrary code, potentially leading to a full compromise of the affected system.

  • Network access required
  • Deserialization of untrusted data
  • Arbitrary code execution

Live Threat

Current exploitation, exposure, and threat context

An unauthorized attacker could execute arbitrary code over a network by exploiting a deserialization vulnerability in Microsoft Office SharePoint. This could potentially allow them to compromise the affected server, impacting its availability and integrity.

  • Server code execution.
  • Network-based deserialization attack.
  • System compromise and data impact.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Microsoft Office SharePoint requires immediate attention from teams managing the SharePoint environment. The first step is to identify all SharePoint instances, confirm their exposure and business criticality, and then determine the accountable owner for remediation planning. Coordination with the vendor may be necessary depending on the impact and available fixes.

  • SharePoint administrators and platform owners.
  • Confirm external reachability and criticality of instances.
  • Plan and execute remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Microsoft Office SharePoint?

SharePoint is a Microsoft enterprise platform used for internal document management, team collaboration, and hosting organizational portals. Many companies configure it as a web application to provide remote access for employees and business partners, meaning it often functions as a central hub for sensitive company data and shared workflows.

What does CVE-2026-58644 mean for system security?

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502). In simple terms, the software incorrectly processes incoming data from an external source, which can trick the system into running unauthorized commands. Because the system treats this malicious input as legitimate instructions, it can lead to full system compromise without requiring the attacker to have valid credentials or user interaction.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending specifically formatted, malicious data packets over a network to a target SharePoint server. The bug is tied to how the application interprets this data during the deserialization process. Importantly, the vulnerability does not require a user to click a link or perform any specific action; it is a direct interaction with the server software itself.

Why should I care about my SharePoint configuration?

You should care because Halo Surface Signal identifies SharePoint as an enterprise platform frequently exposed to the internet to support remote work. If your instance is reachable from the public internet, it significantly broadens the potential attack surface. Assessing whether your specific instances are internet-facing or limited to internal networks is a critical step in understanding your immediate risk level.

What is the first step to address CVE-2026-58644?

Begin by creating a complete inventory of all SharePoint instances running in your environment. Once identified, evaluate their business criticality and network exposure to prioritize your response. Ensure the platform owners are aware of the threat so they can coordinate with Microsoft’s official update channels to plan and implement necessary patches as they become available.

References