CVE-2026-20963

Microsoft SharePoint Server — Remote Code Execution via Deserialization of Untrusted Data
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited — CVSS Upgraded to 9.8 CRITICAL. Microsoft originally published this as an 8.8 HIGH (Privileges Required: Low) on January 13, 2026. On March 17, 2026, Microsoft revised the advisory, correcting the attack to unauthenticated (PR: None) and upgrading the CVSS to 9.8 CRITICAL. The next day, CISA added it to the Known Exploited Vulnerabilities (KEV) Catalog on March 18, 2026 with an emergency remediation deadline of March 21, 2026 (3 days). Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-20963 is a remote code execution vulnerability in Microsoft SharePoint Server. The flaw arises from deserialization of untrusted data (CWE-502) in the SharePoint web application. An unauthenticated, remote attacker can send crafted serialized data over the network to trigger arbitrary code execution on the SharePoint server.

SharePoint is one of the most widely deployed enterprise collaboration platforms globally, used by organizations for document management, intranet portals, and business workflows. An unauthenticated RCE vulnerability in SharePoint provides attackers with direct access to an organization's internal document stores, credentials, and network.

Critical Severity Upgrade & KEV Listing

The timeline of this vulnerability reveals a significant re-assessment that dramatically changed its risk profile:

DateEvent
January 13, 2026Microsoft publishes advisory (v1.0). CVSS 8.8 HIGH and patches released for all affected versions.
March 17, 2026Microsoft revises advisory (v1.1). Corrects CVSS to 9.8 CRITICAL and updates the attack model to unauthenticated attacker (PR:N).
March 18, 2026CISA adds to KEV catalog with 3-day emergency deadline (March 21)

Mitigation & Remediation

Immediate Actions

  • Apply January 2026 security updates immediately (KB5002822, KB5002825, KB5002828).
  • Restrict network access to SharePoint web frontends and avoid direct internet exposure.
  • Review IIS and SharePoint ULS logs for suspicious deserialization-related requests.
  • Monitor for post-exploitation behavior such as unusual processes spawned by SharePoint worker processes or suspicious outbound connections.

Key Details

PropertyValue
CVE ID CVE-2026-20963
Vendor / Product Microsoft — SharePoint
NVD Published2026-01-13
NVD Last Modified2026-04-01
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-502
CISA KEV Added2026-03-18
CISA KEV Deadline2026-03-21
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-03-21. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2026-01-13Microsoft publishes advisory v1.0 with CVSS 8.8 HIGH (Privileges Required: Low); patches released
2026-03-17Microsoft revises advisory v1.1: corrects to unauthenticated attack (PR:N), upgrades CVSS to 9.8 CRITICAL
2026-03-18Added to CISA Known Exploited Vulnerabilities catalog (3-day emergency deadline)
2026-03-21CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2026-20963 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Response Center — CVE-2026-20963 Vendor Advisory
KB5002822 — SharePoint Server Subscription Edition Security Update Vendor Advisory
KB5002825 — SharePoint Server 2019 Security Update Vendor Advisory
KB5002828 — SharePoint Enterprise Server 2016 Security Update Vendor Advisory

Last updated: 2026-04-06

Gavin Hollinger & AI assembled this air-gap friendly HTML