About:
CVE-2026-20963 is a high-severity remote code execution vulnerability in Microsoft Office SharePoint caused by deserialization of untrusted data. An authorized attacker with valid access to a SharePoint environment can exploit this flaw to execute arbitrary code over the network. The vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation may allow attackers to deploy web shells, access or exfiltrate sensitive data, manipulate SharePoint content, and move laterally within enterprise environments.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Remote Code Execution Vulnerability in Microsoft Office SharePoint
CVSS Score: 8.8 (High, CVSS v3.1)
Identifier: CVE-2026-20963
PoC or Exploitation:
CVE-2026-20963 has been observed exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities catalog.
Update/ Patch:
Microsoft released security updates addressing this vulnerability as part of the January 2026 Patch Tuesday release. Organizations should apply the relevant SharePoint security updates for supported versions, including SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition.
Microsoft security update guidance:
Description:
CVE-2026-20963 is a deserialization of untrusted data vulnerability affecting Microsoft Office SharePoint. The vulnerability allows an authorized attacker to execute code over a network.
Exploitation requires valid access to the SharePoint environment. Once exploited, an attacker can execute arbitrary code on the affected SharePoint server, potentially leading to full server compromise.
Successful exploitation may allow attackers to deploy web shells, access or exfiltrate sensitive data, manipulate SharePoint content, and move laterally within the enterprise environment.
Mitigation Recommendation:
Immediately apply the Microsoft security updates addressing CVE-2026-20963.
Prioritize patching internet-facing and externally accessible SharePoint servers.
Review and restrict SharePoint permissions to ensure least privilege access.
Monitor SharePoint and IIS logs for suspicious activity, including unusual process execution or unauthorized file uploads.