Actively Exploited — CVSS Upgraded to 9.8 CRITICAL. Microsoft originally published this as an 8.8 HIGH (Privileges Required: Low) on January 13, 2026. On March 17, 2026, Microsoft revised the advisory, correcting the attack to unauthenticated (PR: None) and upgrading the CVSS to 9.8 CRITICAL. The next day, CISA added it to the [Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963) on March 18, 2026 with an emergency remediation deadline of March 21, 2026 (3 days). Federal agencies are required to apply mitigations per [BOD 22-01](https://www.cisa.gov/binding-operational-directive-22-01).
CVE-2026-20963 is a remote code execution vulnerability in Microsoft SharePoint Server. The flaw arises from deserialization of untrusted data (CWE-502) in the SharePoint web application. An unauthenticated, remote attacker can send crafted serialized data over the network to trigger arbitrary code execution on the SharePoint server.
SharePoint is one of the most widely deployed enterprise collaboration platforms globally, used by organizations for document management, intranet portals, and business workflows. An unauthenticated RCE vulnerability in SharePoint provides attackers with direct access to an organization's internal document stores, credentials, and network.
The timeline of this vulnerability reveals a significant re-assessment that dramatically changed its risk profile:
| Date |
Event |
| January 13, 2026 |
Microsoft publishes advisory (v1.0). CVSS 8.8 HIGH and patches released for all affected versions. |
| March 17, 2026 |
Microsoft revises advisory (v1.1). Corrects CVSS to 9.8 CRITICAL and updates the attack model to unauthenticated attacker (PR:N). |
| March 18, 2026 |
CISA adds to KEV catalog with 3-day emergency deadline (March 21) |
- Apply January 2026 security updates immediately (KB5002822, KB5002825, KB5002828).
- Restrict network access to SharePoint web frontends and avoid direct internet exposure.
- Review IIS and SharePoint ULS logs for suspicious deserialization-related requests.
- Monitor for post-exploitation behavior such as unusual processes spawned by SharePoint worker processes or suspicious outbound connections.
| Property | Value |
|---|
| CVE ID |
CVE-2026-20963 |
| Vendor / Product |
Microsoft — SharePoint |
| NVD Published | 2026-01-13 |
| NVD Last Modified | 2026-04-01 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE |
CWE-502
find similar ↗
|
| CISA KEV Added | 2026-03-18 |
| CISA KEV Deadline | 2026-03-21 |
| Known Ransomware Use |
No |
CISA BOD 22-01 Deadline: 2026-03-21.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
| Date | Event |
|---|
| 2026-01-13 | Microsoft publishes advisory v1.0 with CVSS 8.8 HIGH (Privileges Required: Low); patches released |
| 2026-03-17 | Microsoft revises advisory v1.1: corrects to unauthenticated attack (PR:N), upgrades CVSS to 9.8 CRITICAL |
| 2026-03-18 | Added to CISA Known Exploited Vulnerabilities catalog (3-day emergency deadline) |
| 2026-03-21 | CISA BOD 22-01 remediation deadline |