Technology

A Critical SharePoint Zero-Day Lets Attackers Run Code Remotely Without a Login

Updated 2026

A vulnerability in Microsoft SharePoint Server (CVE-2026-58644) lets an unauthenticated attacker run arbitrary code on an affected machine simply by reaching it over a network. The flaw was exploited in the wild before Microsoft shipped a fix, and it scores at the top end of the severity scale, making it one of the most consequential enterprise-web issues of the year.

What the flaw actually does

The weakness is classified as deserialization of untrusted data. In practical terms, SharePoint was accepting structured data from outside the server and reconstructing objects from it without validating that the payload was safe. A crafted payload can cause the server to execute attacker-controlled code, handing over full control of the machine. Because no login is required, the attack surface is essentially any SharePoint instance that is reachable across a network.

Why this keeps recurring in enterprise software

Deserialization bugs have become one of the most persistent classes of vulnerability in web applications. The root issue is the same every time: the application treats incoming data as if it were trustworthy and rebuilds internal objects directly from it. When an attacker can shape that data, they can shape what gets executed. The challenge for teams is that deserialization often sits deep inside frameworks and legacy code paths, so it only surfaces when someone discovers a clever payload rather than being caught by routine testing.

What administrators should do

The priority action is to confirm that the July 2026 Patch Tuesday update (or the equivalent security release for the affected SharePoint Server version) has been applied. On-premises SharePoint deployments should also be treated as exposed until the patch is verified, because the flaw is network-exploitable without credentials. Restricting network access to SharePoint servers, monitoring for unusual outbound connections, and running endpoint detection on affected hosts are sensible compensating controls while patching is rolled out.

Knowledge takeaway: CVE-2026-58644 is a SharePoint Server deserialization flaw enabling unauthenticated remote code execution. It was actively exploited as a zero-day before the fix shipped, with a critical CVSS score. The broader lesson is that untrusted-data deserialization remains a high-impact, recurring risk in enterprise web applications.