A critical remote code execution (RCE) vulnerability in Microsoft SharePoint caused by the deserialization of untrusted data has been discovered. Authentication is not required by attackers on unprotected systems. Review the Cybersecurity Threat Advisory now to protect you and your clients’ environments now.
What is the threat?
CVE‑2026‑20963 is a critical remote code execution (RCE) vulnerability in Microsoft SharePoint caused by the deserialization of untrusted data. It affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. It also exists in SharePoint 2007, 2010, and 2013, which are end‑of‑support and no longer receive security updates.
Deserialization occurs when SharePoint converts structured data back into live objects in memory. In this case, SharePoint does not properly validate that the incoming data is safe before using it. As a result, an attacker on the network can send a specially crafted request that causes the server to execute malicious code.
Microsoft released a fix in January 2026, but unpatched or unsupported servers remain vulnerable.
Why is it noteworthy?
On March 18, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑20963 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited. CISA also ordered U.S. federal civilian agencies to fix or mitigate the issue by March 21, 2026, underscoring its severity.
The vulnerability is especially dangerous because it is remotely exploitable, requires no authentication, and is low‑complexity. Since SharePoint often stores sensitive documents and integrates with identity and other core services, successful exploitation can give attackers a strong foothold inside the environment and direct access to valuable data. While no confirmed ransomware activity has been tied to this vulnerability yet, similar RCE flaws are frequently abused by access brokers and ransomware operators.
What is the exposure or risk?
Organizations running vulnerable, unpatched on‑premises SharePoint servers face the risk of full server compromise. Attackers could execute arbitrary code, install web shells or backdoors, access or modify SharePoint content, create or exploit privileged accounts, and move laterally across the network.
End‑of‑support versions (2007, 2010, 2013) are particularly exposed since they will never receive a vendor fix. Internet‑exposed or externally accessible SharePoint instances face the highest risk and may already be subject to scanning and exploitation activity. Ultimately, compromise can lead to data breaches, espionage, or serve as staging for broader ransomware or extortion operations.
What are the recommendations?
Barracuda strongly recommends taking the following actions to mitigate risk:
- Immediately patch all supported SharePoint servers for CVE‑2026‑20963, prioritizing Internet‑facing or externally accessible systems.
- For SharePoint 2007/2010/2013: Plan rapid migration to supported versions. Until decommissioned, tightly restrict access, isolate them on dedicated network segments, or remove them from service entirely.
- Reduce exposure by avoiding direct Internet access, enforcing VPN or Zero Trust models, applying IP allowlisting where possible, and placing SharePoint behind a hardened reverse proxy or web application firewall.
- Increase monitoring for indicators of compromise on SharePoint servers, including unusual processes or unexpected changes to .aspx files.
- Maintain strong least‑privilege configurations for SharePoint and related service accounts, and ensure reliable, tested backups are available.
References
For more in-depth information about the recommendations, please visit the following links:
- NVD – CVE-2026-20963
- Critical Microsoft SharePoint flaw now exploited in attacks
- CISA Warns of Microsoft SharePoint Vulnerability Exploited in Attacks
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
