theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-20963

CISA KEV

Published March 18, 2026 · Updated April 3, 2026

high

What This Means

**CVE-2026-20963: Microsoft SharePoint Remote Code Execution via Unsafe Deserialization** Microsoft SharePoint contains an unsafe deserialization flaw that allows unauthenticated or low-privileged attackers to execute arbitrary code remotely by sending malformed serialized objects to the application. An attacker exploiting this vulnerability gains code execution in the context of the SharePoint service account, potentially leading to lateral movement, data exfiltration, or persistent access within your environment. **Immediate actions:** Apply Microsoft's security patch as soon as it becomes available. If you cannot patch immediately, restrict network access to SharePoint servers using firewall rules and WAF policies, monitor SharePoint logs for suspicious deserialization exceptions, and review recent access logs for indicators of exploitation. Check your environment for any unauthorized code execution or suspicious service account activity.

Official Description+

Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.

Affected Products

VendorProduct
MicrosoftSharePoint

Patch Status

Patch by 2026-03-21

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-20963.

Related Coverage

Vvulnerability

CVE-2026-20963: Microsoft SharePoint Remote Code Execution via Unsafe Deserialization Demands Immediate Patching

CVE-2026-20963 is a deserialization of untrusted data vulnerability in Microsoft SharePoint that allows unauthenticated remote attackers to execute arbitrary code in the context of the SharePoint service account. Successful exploitation can lead to lateral movement, credential theft, and persistent access across connected Microsoft environments. CISA mandates federal agency patching by March 21, 2026, and all organizations should treat this as a critical priority remediation.

CISA KEV·16d ago·3 min read