Cyber Posture

CVE-2026-20963

CriticalCISA KEVActive ExploitationRCE

Published: 13 January 2026

Published
13 January 2026
Modified
01 April 2026
KEV Added
18 March 2026
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0529 90.1th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20963 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires timely patching of the specific deserialization vulnerability in Microsoft Office SharePoint to prevent remote unauthorized code execution.

SI-10 Information Input Validation good match
prevent

Information input validation directly counters deserialization of untrusted data (CWE-502) by rejecting malformed or malicious serialized payloads.

RA-5 Vulnerability Monitoring and Scanning good match
preventdetect

Vulnerability monitoring and scanning detects the CVE-2026-20963 flaw in SharePoint systems, enabling remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Deserialization vulnerability in Microsoft Office SharePoint enables arbitrary remote code execution with low privileges over the network, directly facilitating exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

Deeper analysisAI

CVE-2026-20963 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft Office SharePoint. Published on 2026-01-13, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthorized attacker can exploit this vulnerability remotely over a network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables arbitrary code execution on the affected SharePoint server.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 provides details on patches and mitigation steps. Additionally, the vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963, indicating active exploitation in the wild.

Details

CWE(s)
CWE-502
KEV Date Added
18 March 2026

Affected Products

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19127.20442

CVEs Like This One

CVE-2025-53770Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-49704Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-32201Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-49712Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server
CVE-2026-35439Same product: Microsoft Sharepoint Server
CVE-2025-21348Same product: Microsoft Sharepoint Server
CVE-2025-49706Same product: Microsoft Sharepoint Serverboth on KEV

References