ctipilot.ch
← Back to the live brief
HIGHCVE-2026-55040 +3updateNATOA2vulnerability

July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944)

discovered 2026-07-15 04:36 UTCrun 2026-07-15T0409Z-intel3 sourcesmulti-source

UPDATE · originally covered Microsoft July 2026 Patch Tuesday ships two actively-exploited zero-days — AD FS local EoP (CVE-2026-56155) and unauthenticated SharePoint EoP (CVE-2026-56164) (2026-07-14)

the July Patch Tuesday entry covered the two KEV-listed exploited zero-days (AD FS CVE-2026-56155, SharePoint CVE-2026-56164). Four further high-severity fixes in the same cycle carry pre-auth risk and warrant separate attention. CVE-2026-55040 (CVSS 9.1, weak authentication) is a SharePoint JWT token-validation bypass that Rapid7's Stephen Fewer built into a two-vulnerability chain for Pwn2Own Berlin 2026: a remote unauthenticated attacker who knows a target's Active Directory SID or User Principal Name can forge identity and operate as that SharePoint user or administrator (Rapid7 Labs, 2026-07-14). Rapid7 chained it to a still-undisclosed RCE that Microsoft will not patch until the August 2026 cycle — but "patching CVE-2026-55040 will successfully break this exploit chain," so the July update is the available defense today even with the RCE half outstanding (Rapid7 Labs, 2026-07-14).

CVE-2026-55944 (CVSS 9.8) is an unauthenticated deserialization RCE in Microsoft Dynamics NAV / Dynamics 365 Business Central (on-premises) — "deserialization of untrusted data ... allows an unauthorized attacker to execute code over a network," triggered by a crafted login request before any session exists (vector AV:N/AC:L/PR:N/UI:N), and rated "Exploitation More Likely" (Microsoft MSRC, 2026-07-14). It is easy to overlook against SharePoint or Exchange in a busy Patch Tuesday, yet on-prem Dynamics back-office instances are frequently exposed. Two more SharePoint deserialization RCEs — CVE-2026-50522 and CVE-2026-58644 (both CVSS 9.8, "Exploitation More Likely") — require Site-Owner-level access per Microsoft's FAQ; CVE-2026-50522 is fixed in the July cumulative update, while CVE-2026-58644's patch actually shipped in the June cumulative update and the CVE was only documented on 14 July after being omitted from June's release notes — so a SharePoint estate patched through June is already covered for 58644 (Microsoft MSRC, 2026-07-14).

Patching CVE-2026-55040 will successfully break this exploit chain; this underscores the importance of patching vulnerabilities such as authentication bypasses, which can break complex and high-impact exploit chains.

Rapid7 Labs

Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network.

Microsoft MSRC 2026-07-14

Defender actions

  • Confirm the July 2026 SharePoint security update is applied to every on-prem SharePoint Server (Subscription Edition, 2019, 2016) — it closes CVE-2026-55040 and breaks Rapid7's Pwn2Own chain even though the chained RCE stays unpatched until August.
  • Inventory internet-reachable Dynamics NAV / Dynamics 365 Business Central (on-prem) instances and apply the July 2026 update; the deserialization RCE (CVE-2026-55944) fires pre-auth on the login path, so no authentication-based mitigation exists.

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1606Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.