Full Report
A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) warned. [...]
Analysis Summary
# Vulnerability: Microsoft SharePoint Remote Code Execution (Deserialization)
## CVE Details
- **CVE ID:** CVE-2026-20963
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
- **Configurations:** Systems where the January 2026 security updates have not been applied.
## Vulnerability Description
CVE-2026-20963 is a critical vulnerability arising from the deserialization of untrusted data within Microsoft SharePoint. An unauthenticated attacker can exploit this flaw by sending a specially crafted request over the network to a vulnerable SharePoint server. Because the application fails to properly validate the incoming data stream before reconstructing the object, the attacker can inject and execute arbitrary code in the context of the SharePoint Server process.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA; added to KEV Catalog)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to server data and potentially farm credentials)
- **Integrity:** High (Ability to modify files, database entries, and system configurations)
- **Availability:** High (Ability to crash services or delete critical data)
## Remediation
### Patches
Microsoft released the primary fixes for this vulnerability during the **January 2026 Patch Tuesday** cycle. Administrators should ensure the following (or later) updates are installed:
- Security updates for SharePoint Server Subscription Edition
- Security updates for SharePoint Server 2019
- Security updates for SharePoint Enterprise Server 2016
### Workarounds
No specific administrative workarounds were provided in the article. The primary recommendation is the immediate application of security patches. If patching is not possible, CISA recommends discontinuing use of the product.
## Detection
- **Indicators of Compromise:** Monitor for unusual child processes spawning from SharePoint web worker processes (`w3wp.exe`), especially shells (e.g., `cmd.exe`, `powershell.exe`).
- **Detection methods and tools:**
- Review SharePoint ULS logs for deserialization errors or unexpected object types.
- Utilize CISA's Known Exploited Vulnerabilities (KEV) catalog as a reference for prioritization.
- Federal agencies (FCEB) are mandated to remediate by **March 21, 2026**.
## References
- **MSRC Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-20963/
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/critical-microsoft-sharepoint-flaw-now-exploited-in-attacks/