Threat Intelligence / CVE / CVE-2026-20963

CVE-2026-20963

CISA KEV

CVSS 8.8 (HIGH) · EPSS 6.5%

Remote code execution vulnerability in Microsoft SharePoint Server caused by unsafe deserialization of untrusted data (CWE-502). The flaw resides in handling of serialized objects within ASP.NET ViewState and related serialized data streams processed by SharePoint application pages under the /_layouts/ directory. An attacker with low-level authentication can craft a malicious serialized payload using gadget chains to execute arbitrary code in the context of the SharePoint application pool process (w3wp.exe). Patched in January 2026 Patch Tuesday. CISA KEV added 2026-03-18 with remediation deadline 2026-03-21.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Threats tracking this CVE

Microsoft SharePoint Server Deserialization RCE (CVE-2026-20963) — CISA KEV Active Exploitation — CRITICAL

Full detection coverage & IOCs for threats exploiting CVE-2026-20963 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence