ctipilot.ch

CVE-2026-50522 — Microsoft SharePoint Server: Site-Owner deserialization RCE (CVSS 9.8)

cve · CVE-2026-50522

Coverage timeline
1
first 2026-07-15 → last 2026-07-15
Peak priority
high
1 high
Sources cited
3
2 hosts
Sections touched
1
updates
Co-occurring entities
4
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Microsoft Dynamics 365 Business Central (On-Premises)Microsoft Dynamics NAVMicrosoft SharePoint Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-15/microsoft-july-patch-tuesday-sharepoint-dynamics-followup · ATT&CK page ↗

Credential Access TA0006

T1606Forge Web Credentials×1

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Evidence: 2026-07-15/microsoft-july-patch-tuesday-sharepoint-dynamics-followup · ATT&CK page ↗

Story timeline

  1. 2026-07-15July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944)
    updatesBeyond the two exploited zero-days, July's Microsoft set hides a Pwn2Own SharePoint auth-bypass and a pre-auth Dynamics 365 RCE rated Exploitation More Likely

Where this entity is cited

  • updates1

Source distribution

  • msrc.microsoft.com2 (67%)
  • rapid7.com1 (33%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about CVE-2026-50522 — Microsoft SharePoint Server: Site-Owner deserialization RCE (CVSS 9.8) (1)

2026-07-15 · view entry permalink →

HIGHCVE-2026-55040 +3updateNATOA2

July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944)

UPDATE · originally covered Microsoft July 2026 Patch Tuesday ships two actively-exploited zero-days — AD FS local EoP (CVE-2026-56155) and unauthenticated SharePoint EoP (CVE-2026-56164) (2026-07-14)

the July Patch Tuesday entry covered the two KEV-listed exploited zero-days (AD FS CVE-2026-56155, SharePoint CVE-2026-56164). Four further high-severity fixes in the same cycle carry pre-auth risk and warrant separate attention. CVE-2026-55040 (CVSS 9.1, weak authentication) is a SharePoint JWT token-validation bypass that Rapid7's Stephen Fewer built into a two-vulnerability chain for Pwn2Own Berlin 2026: a remote unauthenticated attacker who knows a target's Active Directory SID or User Principal Name can forge identity and operate as that SharePoint user or administrator (Rapid7 Labs, 2026-07-14). Rapid7 chained it to a still-undisclosed RCE that Microsoft will not patch until the August 2026 cycle — but "patching CVE-2026-55040 will successfully break this exploit chain," so the July update is the available defense today even with the RCE half outstanding (Rapid7 Labs, 2026-07-14).

CVE-2026-55944 (CVSS 9.8) is an unauthenticated deserialization RCE in Microsoft Dynamics NAV / Dynamics 365 Business Central (on-premises) — "deserialization of untrusted data ... allows an unauthorized attacker to execute code over a network," triggered by a crafted login request before any session exists (vector AV:N/AC:L/PR:N/UI:N), and rated "Exploitation More Likely" (Microsoft MSRC, 2026-07-14). It is easy to overlook against SharePoint or Exchange in a busy Patch Tuesday, yet on-prem Dynamics back-office instances are frequently exposed. Two more SharePoint deserialization RCEs — CVE-2026-50522 and CVE-2026-58644 (both CVSS 9.8, "Exploitation More Likely") — require Site-Owner-level access per Microsoft's FAQ; CVE-2026-50522 is fixed in the July cumulative update, while CVE-2026-58644's patch actually shipped in the June cumulative update and the CVE was only documented on 14 July after being omitted from June's release notes — so a SharePoint estate patched through June is already covered for 58644 (Microsoft MSRC, 2026-07-14).

Patching CVE-2026-55040 will successfully break this exploit chain; this underscores the importance of patching vulnerabilities such as authentication bypasses, which can break complex and high-impact exploit chains.

Rapid7 Labs

Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network.

Microsoft MSRC 2026-07-14
vulnerability15 Jul 04:36Zmulti-sourceOpen finding ↗