CVE-2026-20963
Published: 13 January 2026
Summary
CVE-2026-20963 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
Microsoft Office SharePoint contains a deserialization of untrusted data flaw, identified as CVE-2026-20963 and assigned CWE-502. The vulnerability received a CVSS 3.1 score of 9.8 reflecting network attackability without authentication or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send crafted serialized data over the network to trigger arbitrary code execution on the SharePoint server, achieving complete control of the affected component.
Microsoft publishes remediation details in its security update guide at the referenced MSRC advisory, while CISA lists the CVE in its known exploited vulnerabilities catalog, underscoring the requirement to apply vendor patches or configuration changes without delay.
The associated EPSS score rose from a low baseline to a recorded peak of 0.0987, indicating that exploitation interest increased after public disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2114
Vulnerability details
Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
- CWE(s)
- KEV Date Added
- 18 March 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization vulnerability in Microsoft Office SharePoint enables arbitrary remote code execution with low privileges over the network, directly facilitating exploitation of a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches for the deserialization flaw in SharePoint, eliminating the remote code execution vector before exploitation.
Enforces validation of untrusted serialized input, blocking the crafted data that triggers arbitrary code execution in the deserialization path.
Deploys malicious-code detection mechanisms that can identify and block payloads delivered via the deserialization exploit.