Cyber Resilience

CVE-2026-20963

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 13 January 2026

Published
13 January 2026
Modified
01 April 2026
KEV Added
18 March 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3111 98.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-20963 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

Microsoft Office SharePoint contains a deserialization of untrusted data flaw, identified as CVE-2026-20963 and assigned CWE-502. The vulnerability received a CVSS 3.1 score of 9.8 reflecting network attackability without authentication or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can send crafted serialized data over the network to trigger arbitrary code execution on the SharePoint server, achieving complete control of the affected component.

Microsoft publishes remediation details in its security update guide at the referenced MSRC advisory, while CISA lists the CVE in its known exploited vulnerabilities catalog, underscoring the requirement to apply vendor patches or configuration changes without delay.

The associated EPSS score rose from a low baseline to a recorded peak of 0.0987, indicating that exploitation interest increased after public disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

CWE(s)
KEV Date Added
18 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization vulnerability in Microsoft Office SharePoint enables arbitrary remote code execution with low privileges over the network, directly facilitating exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53770Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-49712Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-33112Same product: Microsoft Sharepoint Server
CVE-2026-40368Same product: Microsoft Sharepoint Server
CVE-2025-49704Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-35439Same product: Microsoft Sharepoint Server
CVE-2026-45659Same product: Microsoft Sharepoint Server
CVE-2026-33110Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19127.20442

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches for the deserialization flaw in SharePoint, eliminating the remote code execution vector before exploitation.

prevent

Enforces validation of untrusted serialized input, blocking the crafted data that triggers arbitrary code execution in the deserialization path.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block payloads delivered via the deserialization exploit.

References