Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Release Date: 18th of March 2026
Impact : HIGH / CRITICAL
TLP Rating: Clear 
CVE-2026-20963 is a high-severity remote code execution (RCE) vulnerability (CVSS 8.8) affecting Microsoft SharePoint Server. The flaw is caused by deserialization of untrusted data (CWE-502) within SharePoint’s handling of serialized objects.
What is it?
CVE-2026-1603 is a high-severity authentication bypass vulnerability affecting enterprise endpoint management software. The flaw exists in Ivanti Endpoint Manager (EPM) and allows a remote, unauthenticated attacker to bypass authentication controls and access sensitive stored credentials within the system.
What are the Systems affected?
The Vulnerability impacts on premises SharePoint deployments, including:
- Microsoft SharePoint Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Subscription Edition (prior to patched builds
These systems are commonly used in enterprise environments for:
- Document Management
- Collaboration platforms
- Internal portals and knowledge repositories
What does this mean?
Exploitation requires low-privileged authenticated access, meaning even a normal user account can be leveraged.
The attack is network-based, low complexity, and requires no user interaction, making it highly exploitable.
Typical attack flow:
- Initial access (low privilege)
- The attacker gains valid SharePoint credentials (e.g., phishing or insider access).
- Crafting malicious payload
- The attacker creates a specially crafted serialized object payload designed to exploit deserialization logic.
- Sending the request
- The payload is sent to a vulnerable SharePoint endpoint that processes serialized data.
- Unsafe deserialization
- SharePoint deserializes the malicious object without validation.
- Code execution
- The payload triggers execution of attacker-controlled code on the server.
- Post-exploitation
- Attackers may:
- Access sensitive documents
- Move laterally across the network
- Install backdoors or malware
- Attackers may:
Potential Impact:
Successful exploitation of CVE-2026-20963 may allow attackers to:
- Execute arbitrary code on SharePoint servers
- Fully compromise confidentiality, integrity, and availability
- Access or exfiltrate sensitive organizational data
- Modify or delete documents and system content
- Use the compromised server for lateral movement within the network
Because SharePoint often stores critical internal documents and operational data, impact can extend beyond the server to the entire enterprise environment.
Mitigation process
CERTVU recommends the following:
Apply Microsoft Security Updates (Critical)
- Install the latest SharePoint security patches provided by Microsoft immediately.
- Ensure all SharePoint servers are updated to patched build versions.
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2026-20963
- Download advisory (English): Microsoft SharePoint Deserialization of Untrusted Data Vulnerability