CVE-2026-20963 is a critical deserialization vulnerability in Microsoft SharePoint Server that allows remote code execution for authorized attackers over the network. This vulnerability is actively exploited by nation-state actors and is listed in CISA's KEV catalog, targeting internet-facing SharePoint deployments.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-01-13
Added to CISA KEV: 2026-03-18 64 DAYS BETWEEN CVE AND KEV
Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server ...
Understand the critical aspects of CVE-2026-20963 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.CVE-2026-20963: vulnerability analysis and mitigation. Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
Description. Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Learn about the importance of CISA's Known Exploited Vulnerability (KEV) catalog and how to use it to help build a collective resilience across the cybersecurity community.