~/home/news/critical-sharepoint-rce-cve-2026-2026-03-26
newsWednesday, March 25, 20268 min read👁 74 views

Critical SharePoint RCE (CVE-2026-20963) Exploited in the Wild - CISA Issues Urgent Alert

CISA has added CVE-2026-20963, a critical remote-code-execution flaw in SharePoint Server 2016/2019 and Subscription Edition, to its KEV catalog after confirming active exploitation. Agencies have three days to remediate, but many installations remain unpatched.

SharePointCVE-2026-20963CISARemote Code ExecutionPatch Management

Overview/Introduction

On March 18, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) announced that a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server-identified as CVE-2026-20963-has been observed in active attacks. The flaw, rated a CVSS 9.8, enables unauthenticated attackers to deserialize malicious data and execute arbitrary code on vulnerable SharePoint installations. Although Microsoft released a patch in its January 2026 Patch Tuesday, a substantial number of enterprises and federal agencies have not applied the update, leaving a large attack surface.

Technical Details

CVE Identifier and Classification

  • CVE-2026-20963 - Critical Remote Code Execution (CVSS 9.8)
  • Affected products: SharePoint Server 2016, SharePoint Server 2019, SharePoint Subscription Edition (on-premises)
  • Vulnerability type: Deserialization of untrusted data in the SharePoint Web Services endpoint

Attack Vector and Exploitation Method

The vulnerability resides in the way SharePoint processes serialized objects received via the /_vti_bin/owssvr.dll endpoint. An attacker can craft a specially-encoded SOAP request that contains a malicious .NET object graph. When the server attempts to deserialize this object, the malicious payload is instantiated, allowing the attacker to execute arbitrary .NET code in the context of the SharePoint application pool (typically Network Service or a custom service account).

Key characteristics of the exploit:

  • Unauthenticated - No valid credentials are required; the request can be sent from any IP address that can reach the SharePoint web front-end.
  • Network-based - The attack works over HTTP/HTTPS without needing a phishing email or user interaction.
  • Remote code execution - The attacker can drop and run PowerShell scripts, install backdoors, or move laterally within the victim network.

Microsoft’s Advisory

Microsoft’s security advisory (released January 13, 2026) confirms the deserialization flaw and states that “in a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server.” The advisory also notes that the exploitability assessment was initially set to “exploitation less likely,” a rating that was later contradicted by CISA’s findings of active exploitation.

Impact Analysis

Given the high CVSS score and the unauthenticated nature of the attack, the impact is severe:

  • Confidentiality: Attackers can exfiltrate documents, lists, and site content stored in SharePoint.
  • Integrity: Malicious actors can modify or delete critical collaboration assets, potentially disrupting business processes.
  • Availability: By deploying ransomware or destructive payloads, attackers can render SharePoint services unusable.

Organizations that rely heavily on SharePoint for intranet portals, document management, and workflow automation-particularly government agencies, defense contractors, and large enterprises-are at greatest risk. The shared-service model of SharePoint also means that a single compromised server can affect multiple business units.

Timeline of Events

  • January 13, 2026 - Microsoft releases Patch Tuesday updates, including the fix for CVE-2026-20963.
  • January 14 - February 2026 - Initial advisory published; Microsoft rates exploitability as low.
  • Mid-March 2026 - Independent security researcher discovers evidence of exploitation in the wild and reports to CISA.
  • March 18, 2026 - CISA adds CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, issuing an urgent directive to federal agencies.
  • March 21, 2026 - Deadline for federal agencies to remediate the vulnerability.
  • March 23, 2026 - SecurityWeek updates its coverage, noting that Microsoft has not publicly confirmed the specific attacks.

Mitigation/Recommendations

Organizations should act immediately to reduce exposure. Recommended steps:

  1. Apply the January 2026 Patch - Install the latest cumulative update for the affected SharePoint version. For environments with automatic update policies, verify that the patch has been applied.
  2. Validate Patch Deployment - Use tools such as Get-HotFix on the SharePoint server or a vulnerability scanner to confirm the presence of KBXXXXXX (the specific KB number for the fix).
  3. Network Segmentation - Restrict inbound traffic to the SharePoint web front-end to only trusted IP ranges. Block external access to /_vti_bin/owssvr.dll if not required.
  4. Application-Level Hardening
    • Disable unnecessary Web Services endpoints that are not used by your organization.
    • Enable request validation and enforce strict content-type headers.
  5. Monitoring and Detection
    • Deploy IDS/IPS signatures that detect anomalous SOAP requests targeting owssvr.dll.
    • Enable SharePoint audit logging and monitor for unusual object creation or execution patterns.
  6. Incident Response Preparedness
    • Update runbooks to include detection of deserialization attacks.
    • Ensure backups of SharePoint content are recent and stored offline.

Real-World Impact

While Microsoft has not disclosed details of specific breach campaigns, the fact that CISA flagged active exploitation suggests that threat actors are already leveraging the flaw. Potential real-world scenarios include:

  • State-Sponsored Espionage - Nations targeting defense contractors could exfiltrate classified design documents stored in SharePoint.
  • Ransomware Deployment - Attackers gain initial foothold, then deploy ransomware that encrypts SharePoint databases, demanding payment for decryption keys.
  • Supply-Chain Disruption - Compromised SharePoint sites used for vendor collaboration can be poisoned, leading to the spread of malicious files downstream.

For organizations that have mandated SharePoint as the single source of truth for policy documents, the loss of availability could halt critical operations, especially in regulated sectors such as healthcare, finance, and energy.

Expert Opinion

As a senior cybersecurity analyst, I view the rapid escalation from “low exploitation likelihood” to a confirmed KEV entry as a textbook example of why patch management must be treated as a continuous, risk-based process rather than a periodic chore. The deserialization flaw is particularly dangerous because it bypasses authentication entirely, meaning that even air-gapped networks that expose SharePoint to the corporate perimeter are vulnerable.

The broader industry implication is two-fold:

  1. Shift Toward Secure Coding Practices - Microsoft’s own advisory acknowledges the root cause-unsafe deserialization. Developers must adopt safe-serialization frameworks, input validation, and adopt threat-modeling early in the software lifecycle.
  2. Elevated Role of Government-Led KEV Catalogs - CISA’s KEV list is increasingly becoming a de-facto compliance requirement. Organizations that ignore the KEV alerts risk not only technical compromise but also potential regulatory penalties.

In short, the window to remediate CVE-2026-20963 is closing fast. Enterprises that have deferred patching for legacy SharePoint installations should prioritize this update, conduct a rapid inventory of exposed endpoints, and integrate the vulnerability into their threat-intelligence feeds. The cost of a breach-both financial and reputational-will far outweigh the operational effort required to patch today.