Full Report
Last time: Beijing-backed snoops and ransomware crims. Who's next? Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims' SharePoint servers, the US government warned.…
Analysis Summary
# Vulnerability: Critical Deserialization RCE in Microsoft SharePoint
## CVE Details
- **CVE ID:** CVE-2026-20963
- **CVSS Score:** 9.8 (Critical) - *Based on unauthenticated RCE classification*
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:** On-premises versions (Specific versions include SharePoint Server 2016, 2019, and Subscription Edition).
- **Configurations:** Systems that have not applied the March 2026 security updates.
## Vulnerability Description
CVE-2026-20963 is a critical deserialization flaw within Microsoft SharePoint. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the server. The flaw stems from how SharePoint handles specially crafted input, leading to the deserialization of untrusted data which can be weaponized to achieve Remote Code Execution (RCE) without any user interaction.
## Exploitation
- **Status:** Exploited in the wild.
- **Complexity:** Low.
- **Attack Vector:** Network (Remote).
- **PoC Availability:** Not explicitly mentioned in the article, but active exploitation is confirmed by CISA.
## Impact
- **Confidentiality:** Total (Full access to server data and files).
- **Integrity:** Total (Ability to modify server configurations and data).
- **Availability:** Total (Ability to crash the service or deploy ransomware).
## Remediation
### Patches
- Microsoft released fixes for this vulnerability as part of the **March 2026 Patch Tuesday** cycle. Administrators should update to the latest supported builds of SharePoint Server 2016, 2019, or Subscription Edition immediately.
### Workarounds
- No specific technical workarounds were provided in the article. The primary recommendation is the immediate application of security patches.
- Restrict access to SharePoint management interfaces from the public internet to reduce the attack surface.
## Detection
- **Indicators of Compromise:** Look for unusual child processes spawning from SharePoint web worker processes (e.g., `w3wp.exe` spawning `cmd.exe` or `powershell.exe`).
- **Detection Methods:**
- Monitor CISA's Known Exploited Vulnerabilities (KEV) catalog for updates.
- Use vulnerability scanners to identify unpatched SharePoint instances.
- Review web server logs for suspicious POST requests to SharePoint endpoints.
## References
- **MSRC Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-20963
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Source:** hxxps[://]www[.]theregister[.]com (March 19, 2026)