Threat Insight

Actively Exploited Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

A remote code execution (RCE) vulnerability in Microsoft SharePoint Server, tracked as CVE‑2026‑20963, has been observed being exploited in the wild.

  • Insight

CVE‑2026‑20963 is a deserialization of untrusted data vulnerability in Microsoft SharePoint. The flaw enables an attacker to execute arbitrary code over a network[1].

Ongoing exploitation of this vulnerability has been observed, although no threat actor attribution has been made public as of yet and it appears to not be any public information about the attacks exploiting the vulnerability right now.

CVE

CVE‑2026‑20963

Affected Products

  • Microsoft SharePoint Server Subscription Edition prior to version 16.0.19127.20442 [3]
  • Microsoft SharePoint Enterprise Server 2016 prior to version 16.0.10417.20083 [3]
  • Microsoft SharePoint Server 2019 prior to version 16.0.5535.1001 [3]

Exploitation

CVE‑2026‑20963 has been added to the Known Exploited Vulnerabilities (KEV) catalog[2].

Recommended Actions

While Microsoft’s advisory updates are pending exploitation acknowledgement, Truesec strongly recommends patching systems running vulnerable SharePoint Server versions.

References

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-20963
[2] https://www.cisa.gov/news-events/alerts/2026/03/16/cisa-adds-one-known-exploited-vulnerability-catalog
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.