Microsoft
CVE-2026-20963
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
AnalysisAI
Microsoft Office SharePoint contains a deserialization vulnerability (CVE-2026-20963) that allows authenticated users to execute arbitrary code over the network through crafted serialized objects. KEV-listed with public PoC, this CVSS 8.8 vulnerability enables any SharePoint user to escalate to server-level code execution, making it a critical threat for organizations relying on SharePoint for document management and collaboration.
Technical ContextAI
The vulnerability exists in SharePoint's processing of user-supplied serialized .NET objects. An authenticated attacker can craft malicious serialized data using known .NET deserialization gadget chains (e.g., TypeConfuseDelegate, ObjectDataProvider) that execute arbitrary commands when deserialized by the SharePoint server. The low privilege requirement (any authenticated SharePoint user) combined with remote network access makes this highly exploitable in enterprise environments.
RemediationAI
Apply Microsoft security update immediately. KEV-listed — remediate per CISA deadlines. Review SharePoint service account permissions (principle of least privilege). Monitor SharePoint logs for suspicious serialized data submissions. Consider network segmentation for SharePoint servers.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today