Critical Vulnerability in Microsoft SharePoint Server Under Exploitation

CVE-2026-20963 could allow an unauthenticated attacker to achieve remote code execution

Threat ID:: CC-4757
Threat Severity:: High
Published:: 19 March 2026 11:39 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2026-20963 could allow an unauthenticated attacker to achieve remote code execution

Affected platforms

The following platforms are known to be affected:

Microsoft SharePoint Server

Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2016

Threat details

Unsupported versions

SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are end-of-support and no longer receive security updates. Organisations must upgrade to a supported version of SharePoint Server.

Exploitation of CVE-2026-20963

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20963 to their Known Exploited Vulnerabilities (KEV) Catalog.

The NHS England National CSOC assesses further immediate exploitation as highly likely.

Introduction

Microsoft has updated the security advisory that addresses CVE-2026-20963 to reflect that the attacker does not need to be authenticated. This new information has changed the CVSS score and altered the conditions necessary for exploitation. The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog.

CVE-2026-20963 is a "deserialisation of untrusted data" vulnerability with a CVSSv3 score of 9.8. Successful exploitation could allow an unauthenticated attacker to execute remote code on the SharePoint Server.

Remediation advice

Affected organisations must review Microsoft's security advisory SharePoint Remote Code Execution Vulnerability CVE-2026-20963 and apply the latest security update.

Remediation steps

Type	Step
Patch	Patch Organisations must apply the latest security update for SharePoint Server. Fixed versions Microsoft SharePoint Server Subscription Edition: KB5002822 Microsoft SharePoint Server 2019: KB5002825 Microsoft SharePoint Enterprise Server 2016: KB5002828 Note: SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are both end-of-support and do not receive security updates. Organisations running end-of-support SharePoint Server versions must upgrade to a supported version. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

Type

Step

Patch

Patch

Organisations must apply the latest security update for SharePoint Server.

Fixed versions

Microsoft SharePoint Server Subscription Edition: KB5002822
Microsoft SharePoint Server 2019: KB5002825
Microsoft SharePoint Enterprise Server 2016: KB5002828

Note: SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are both end-of-support and do not receive security updates. Organisations running end-of-support SharePoint Server versions must upgrade to a supported version.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

Definitive source of threat updates

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

CVE Vulnerabilities

Status Published

CVE-2026-20963

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Last edited: 19 March 2026 11:39 am