Microsoft has disclosed a critical vulnerability in on-premises SharePoint Server that lets a remote attacker execute arbitrary code without needing a single credential or any user interaction. CVE-2026-50522, part of the July 14, 2026 security updates, scores a near-maximum 9.8 out of 10 on the CVSS v3.1 severity scale—the highest practical rating a Windows vulnerability can receive. Any internet-facing SharePoint farm running an unpatched build is at immediate risk, and admins should treat this as an emergency change.
The Vulnerability: A Direct Line to Your Servers
The core weakness is a deserialization flaw (CWE-502) in Microsoft Office SharePoint. Deserialization bugs happen when an application takes data from an untrusted source—typically a network request—and tries to reconstruct an object from that data without thoroughly validating its contents. An attacker can craft a malicious payload that, when deserialized, grants them the ability to run whatever code they want on the server.
Microsoft’s own CVSS vector tells the story: the attack is network-based (AV:N), requires low complexity (AC:L), needs no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U), meaning the exploit stays within the vulnerable component, but the impact on confidentiality, integrity, and availability is rated high (C:H/I:H/A:H). In practice, that means a successful attack could let a threat actor read sensitive data, alter documents and server configurations, or disrupt services entirely—all from a single, unauthenticated network probe.
Who’s Affected—and Who’s Safe
Only on-premises SharePoint Server deployments are in the crosshairs. Microsoft SharePoint Online (part of Microsoft 365) is not listed as vulnerable, because Microsoft automatically handles patching for its cloud infrastructure. If your servers are in the following product lines and haven’t been updated since July 14, you need to act:
- Microsoft SharePoint Enterprise Server 2016 — builds earlier than 16.0.5561.1001
- Microsoft SharePoint Server 2019 — builds earlier than 16.0.10417.20175
- Microsoft SharePoint Server Subscription Edition — builds earlier than 16.0.19725.20434
These version numbers are your compliance check: after deploying the update, every server in the farm must report a build at or above those thresholds. A patch approved in WSUS or Configuration Manager is not enough—the installed bits have to be in place and verified.
The Update: It’s Not Just About Installing a Patch
SharePoint servicing is famously more involved than a normal Windows cumulative update. Because SharePoint farms often span multiple servers—web front ends, application servers, search nodes, distributed cache hosts—you must update every machine and then run the SharePoint Products Configuration Wizard (or PSConfig.exe) on each one. Skipping the configuration step leaves the farm in a partially updated, unsupported state, and it does not close the vulnerability.
Before you start, record the current build of each server, confirm that recent backups are healthy, and check that disk space is adequate. If your farm is designed for high availability, you can stage the updates to minimize downtime, but don’t leave a vulnerable web front end online while you upgrade the others—that keeps the attack surface open.
Once the update and configuration wizard have completed, verify:
- Every server reports a build equal to or higher than the corrected version for its product line.
- The configuration wizard finished without errors on all nodes.
- Central Administration shows no pending upgrade actions or servers with “Upgrade Required” status.
- Web applications, search, authentication, workflows, and Office integration function normally.
- Your security monitoring tools (IIS logs, Windows Event Logs, endpoint detection) are actively watching for suspicious behavior.
If You Can’t Patch Right Now, Here’s What to Do
Some organizations cannot apply emergency patches immediately due to maintenance windows, testing requirements, or operational constraints. In that case, reducing external exposure is the best fallback—but it’s a temporary band-aid, not a fix.
- Restrict network access: Move SharePoint servers behind a VPN, reverse proxy, or application gateway that requires authentication. If possible, use a tightly controlled IP allowlist so only trusted networks can reach the farm.
- Enable a web application firewall (WAF) cautiously: A WAF can block some exploit attempts if signatures exist, but deserialization payloads are notoriously hard to filter because they can be encoded or obfuscated. Do not rely on a WAF as your only defense.
- Monitor aggressively: Look for unusual processes spawned by SharePoint or IIS, new executable files, unexpected scheduled tasks, or outbound network connections from your SharePoint servers. Even without a patch, spotting anomalous activity early can limit damage.
Remember: these mitigation steps reduce risk, but they do not eliminate the vulnerability. Attackers who can reach the server with a crafted request can still exploit the flaw. The only complete remedy is to install Microsoft’s update and run the configuration wizard.
Looking Back: Why Deserialization Bugs Are So Dangerous
CVE-2026-50522 is the latest in a long line of critical deserialization vulnerabilities in enterprise software. When applications trust data from untrusted sources without strict validation, attackers can manipulate the deserialization process to create objects that execute code, load malicious assemblies, or tamper with application state. In SharePoint, which deeply integrates with .NET and IIS, a successful exploit often gives the attacker the same privileges as the application pool identity—frequently a high-privileged service account with broad access to SQL Server databases, file shares, and authentication tokens.
Historically, critical SharePoint RCEs have been exploited within days or even hours of a patch release. The July 2026 update cycle also fixes other SharePoint vulnerabilities, at least one of which has been associated with active exploitation according to Microsoft’s advisories. While CVE-2026-50522 itself was not known to be exploited at the time of disclosure—CISA’s initial SSVC assessment tagged exploitation as “none”—the characteristics of the flaw make it highly automatable. Defenders should assume that working exploit code will surface quickly, if it hasn’t already.
The Bottom Line: Move Fast, Then Verify
Microsoft has given administrators everything they need to eliminate this risk: clear build numbers, detailed servicing guidance, and a fix that is tested and ready. The next step is yours:
- Identify all SharePoint servers in your environment, noting their current build and role.
- Download and deploy the July 2026 security update for each affected product (Enterprise 2016, 2019, or Subscription Edition).
- Run the SharePoint Products Configuration Wizard on every server, in the correct order recommended by Microsoft’s farm-update documentation.
- Validate build numbers and test core functionality.
- Review logs for any sign of pre-patch exploitation, especially if the server was internet-facing. Look for child processes launched by w3wp.exe, new .aspx or .dll files, or unusual authentication events.
If you find evidence that an attacker ran code on the server, assume the compromise extends to all credentials and secrets accessible to that machine. You may need to reset service account passwords, rotate certificates, and investigate lateral movement.
CVE-2026-50522 is not a drill. It’s a network-exploitable, unauthenticated, critical RCE in one of the most widely deployed collaboration platforms in the world. The only safe server is a fully patched one—and the clock is ticking.
What to Watch Next
Keep an eye on the MSRC advisory for any updates on exploitation status. Past patterns suggest that public exploit code may appear within days or weeks. Even if your farm is now patched, maintain heightened monitoring for any anomaly that could indicate a previously undetected intrusion. Microsoft’s July 2026 Patch Tuesday should be treated as the starting point for a broader security review of your on-premises SharePoint infrastructure.