CVE-2026-20963: Microsoft SharePoint Server RCE Vulnerability

CVE-2026-20963 Overview

CVE-2026-20963 is an unsafe deserialization vulnerability in Microsoft Office SharePoint Server. An unauthenticated attacker can execute arbitrary code on a vulnerable SharePoint server by sending a crafted request containing malicious serialized data over the network. The flaw is tracked under CWE-502: Deserialization of Untrusted Data and impacts SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. CISA has added the issue to its Known Exploited Vulnerabilities catalog, confirming active exploitation. The EPSS score is 5.058% (89.87 percentile), reflecting elevated likelihood of further exploitation.

Critical Impact

Unauthenticated remote code execution on internet-facing SharePoint servers, leading to full server compromise, lateral movement, and access to stored enterprise content.

Affected Products

• Microsoft SharePoint Server Subscription Edition
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Server 2016 (Enterprise)

Discovery Timeline

• 2026-01-13 - CVE-2026-20963 published to the National Vulnerability Database
• 2026-04-01 - Last updated in the NVD database

Technical Details for CVE-2026-20963

Vulnerability Analysis

The vulnerability resides in SharePoint Server code paths that deserialize attacker-controlled data without sufficient type validation. SharePoint accepts serialized objects through several web-facing endpoints, and the affected handler reconstructs .NET objects from incoming payloads. When a gadget chain is supplied, the deserialization process triggers code execution under the SharePoint application pool identity. Exploitation requires no authentication, no privileges, and no user interaction. Successful exploitation yields full confidentiality, integrity, and availability impact on the targeted server. Because SharePoint frequently holds privileged service accounts and integrates with Active Directory, compromise often extends beyond the host.

Root Cause

The root cause is improper handling of serialized input as defined in CWE-502. SharePoint deserializes objects from untrusted sources without enforcing a strict allow-list of safe types. Gadget chains present in loaded assemblies can be invoked during object reconstruction to execute arbitrary code.

Attack Vector

The attack vector is network-based. An attacker sends an HTTP request containing a crafted serialized payload to a vulnerable SharePoint endpoint. The server deserializes the payload and executes the embedded gadget chain. No credentials or user interaction are required, making internet-exposed SharePoint deployments primary targets.

No verified proof-of-concept code is published for this CVE at the time of writing. For authoritative technical details, refer to the Microsoft Security Update Guide.

Detection Methods for CVE-2026-20963

Indicators of Compromise

• Unexpected w3wp.exe child processes such as cmd.exe, powershell.exe, or csc.exe spawned from the SharePoint application pool.
• New or modified ASPX, ASHX, or web shell files under SharePoint LAYOUTS, _vti_bin, or site collection directories.
• Outbound network connections from SharePoint servers to unknown IP addresses or paste sites following inbound POST requests.
• IIS log entries showing large or base64-heavy POST bodies to SharePoint endpoints from external sources.

Detection Strategies

• Inspect IIS request logs for anomalously large request bodies and unusual Content-Type values targeting SharePoint handlers.
• Hunt for process lineage where w3wp.exe hosting the SharePoint app pool spawns scripting interpreters or LOLBins.
• Monitor file integrity on SharePoint web roots for newly created executable content and timestamp anomalies.
• Correlate authentication anomalies on the SharePoint farm account with suspicious process or network activity.

Monitoring Recommendations

• Forward IIS, Windows Security, and Sysmon logs from all SharePoint servers to a centralized analytics platform.
• Alert on creation of ASPX or DLL files within SharePoint hive paths outside of approved change windows.
• Track egress from SharePoint servers and baseline normal destinations to identify command-and-control channels.

How to Mitigate CVE-2026-20963

Immediate Actions Required

• Apply the security updates published in the Microsoft Security Update Guide to all affected SharePoint Server instances.
• Treat internet-exposed SharePoint servers as priority assets and patch within timelines mandated by the CISA KEV catalog entry.
• Investigate affected servers for signs of prior exploitation before and after patching, since active exploitation is confirmed.
• Rotate machine keys, service account credentials, and any secrets accessible from the SharePoint farm after remediation.

Patch Information

Microsoft has issued security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 covering CVE-2026-20963. Administrators should consult the Microsoft Security Update Guide for the build numbers applicable to their version and install both the Server and Language Pack updates required by SharePoint cumulative servicing.

Workarounds

• Restrict external access to SharePoint web front-ends through a reverse proxy or web application firewall with strict request validation until patches are applied.
• Disable or block public access to SharePoint endpoints that are not required for business operations.
• Apply network segmentation so that SharePoint servers cannot initiate arbitrary outbound connections to the internet.

# Example: block external access to a SharePoint server using Windows Firewall
# Replace <TrustedSubnet> with your internal management range
New-NetFirewallRule -DisplayName "Block-External-SharePoint-HTTPS" \
  -Direction Inbound -Protocol TCP -LocalPort 443 \
  -RemoteAddress Internet -Action Block

New-NetFirewallRule -DisplayName "Allow-Internal-SharePoint-HTTPS" \
  -Direction Inbound -Protocol TCP -LocalPort 443 \
  -RemoteAddress <TrustedSubnet> -Action Allow