Full Report
AL26-005 – Critical vulnerability impacting Microsoft SharePoint Server – CVE-2026-20963
Analysis Summary
# Vulnerability: Remote Code Execution in Microsoft SharePoint Server via Deserialization
## CVE Details
- **CVE ID:** CVE-2026-20963
- **CVSS Score:** Critical (Specific numerical score not provided in text, but categorized as "Critical")
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:**
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
- Legacy/End-of-Life (EoL) SharePoint versions (Open-source reporting)
- **Versions:**
- Enterprise Server 2016: Versions prior to 16.0.5535.1001
- Server 2019: Versions prior to 16.0.10417.20083
- Subscription Edition: Versions prior to 16.0.19127.20442
- **Configurations:** Primarily impacts on-premises instances, with increased risk for internet-facing servers.
## Vulnerability Description
CVE-2026-20963 is a critical deserialization vulnerability. It occurs when the application fails to properly sanitize or validate untrusted data during the deserialization process. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted request over the network, allowing for the execution of arbitrary code within the context of the SharePoint Server.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA Known Exploited Vulnerabilities catalog on March 18, 2026).
- **Complexity:** Low (Implicit, as it can be triggered by unauthenticated remote actors).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Remote Code Execution allows full data access).
- **Integrity:** High (Attacker can modify system files and data).
- **Availability:** High (Attacker can disrupt services or delete data).
## Remediation
### Patches
Microsoft has released security updates to address this vulnerability. Organizations should upgrade to:
- **SharePoint Enterprise Server 2016:** 16.0.5535.1001
- **SharePoint Server 2019:** 16.0.10417.20083
- **SharePoint Server Subscription Edition:** 16.0.19127.20442
### Workarounds
- **Decommissioning:** Legacy/EoL versions should be decommissioned immediately as they will not receive patches.
- **Isolation:** Isolate web-facing applications and restrict network access to SharePoint instances where possible.
- **Hardening:** Follow OS hardening best practices to limit the impact of a successful compromise.
## Detection
- **Indicators of Compromise:** Monitor for unusual network traffic directed at SharePoint endpoints and unexpected process execution (e.g., `w3wp.exe` spawning shells or unexpected child processes).
- **Detection methods and tools:**
- Review SharePoint logs for deserialization errors.
- Check for system activity matching CISA KEV or Cyber Centre alerts.
- Report suspect activity to [My Cyber Portal] hxxps[://]www[.]cyber[.]gc[.]ca/en/incident-management.
## References
- **Microsoft Security Update Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-20963
- **Canadian Centre for Cyber Security (AV26-024):** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/microsoft-security-advisory-january-2026-monthly-rollup-av26-024
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-20963
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963