🔴 CVE-2026-20963

CVE-2026-20963 is a critical deserialization vulnerability in Microsoft SharePoint Server that allows remote code execution for authorized attackers over the network. This vulnerability is actively exploited by nation-state actors and is listed in CISA's KEV catalog, targeting internet-facing SharePoint deployments.

← Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-13

Added to CISA KEV: 2026-03-18 64 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-18)

The vulnerability CVE-2026-20963 is a deserialization of untrusted data flaw in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network [2][4].

Regarding its exploitation:

  • Internet-facing applications or services: The vulnerability specifically targets internet-facing SharePoint servers [1].
  • Evidence of active exploitation: There is evidence of active exploitation [3][7]. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog [3][8].
  • Attack vectors and exploitation methods: The vulnerability allows an authorized attacker to execute code over a network through deserialization of untrusted data [2][4]. Microsoft has observed threat actors exploiting these vulnerabilities, leading to the deployment of ransomware and new webshells [6].
  • Targeted attacks: Chinese nation-state actors, identified as Linen Typhoon and Violet Typhoon, as well as another China-based threat actor tracked as Storm-2603, have been observed exploiting vulnerabilities targeting on-premises SharePoint servers [1].
  • CISA Known Exploited Vulnerabilities status: CVE-2026-20963 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog [3]. This catalog highlights vulnerabilities with documented evidence of active exploitation, emphasizing the need for timely remediation [5].
  • Technical details about internet exploitability: The core technical detail is the deserialization of untrusted data within Microsoft Office SharePoint, which enables remote code execution by an attacker who has authorization [2][4]. Microsoft has released security updates for all supported versions of SharePoint Server to address this [1].

Sources

  1. Disrupting active exploitation of on-premises SharePoint ...

    Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Microsoft…

  2. CVE-2026-20963 Impact, Exploitability, and Mitigation Steps | Wiz

    Understand the critical aspects of CVE-2026-20963 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.CVE-2026-20963: vulnerability analysis and mitigation. Deserialization of untrusted data in Microsoft Office SharePoint allows an author…

  3. CISA Adds One Known Exploited Vulnerability to Catalog

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  4. CVE-2026-20963 Detail - NVD

    Description. Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  5. Reducing the Significant Risk of Known Exploited Vulnerabilities - CISA

    Learn about the importance of CISA's Known Exploited Vulnerability (KEV) catalog and how to use it to help build a collective resilience across the cybersecurity community.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed