- 21
- March
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20963, a Microsoft SharePoint Remote Code Execution (RCE) vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog on March 18, 2026, after confirming active exploitation in the wild. CISA has ordered all US federal civilian agencies to patch by March 21, 2026, under Binding Operational Directive (BOD) 22-01.
Severity Level: CRITICAL
| CVE ID | CVE-2026-20963 |
| Vulnerability Type | Deserialization of Untrusted Data (CWE-502) |
| Impact | Remote Code Execution (RCE) |
| CVSS Score | 8.8 (High) |
| Status | Actively Exploited |
| Patch Deadline | March 21, 2026 (CISA BOD 22-01) |
What Is CVE-2026-20963?
CVE-2026-20963 is a Deserialization of Untrusted Data vulnerability in Microsoft SharePoint Server. The flaw resides in the handling of serialized objects within ASP.NET ViewState and other serialized data streams utilized by SharePoint application pages.
An attacker with standard user-level authentication can send a specially crafted serialized object (payload) to a vulnerable SharePoint Server, resulting in arbitrary code execution on the server in the context of the SharePoint Service Account. No user interaction is required for exploitation.
Deserialization vulnerabilities are listed in the OWASP Top 10 as one of the most critical information security risks that organizations must address, as they can lead to complete server compromise. Understanding common attack vectors like SQL Injection and deserialization flaws is essential for building a strong security posture.
Attack Vector Summary
| Step | Description |
|---|---|
| 1. Gain Access | Attacker authenticates to SharePoint with a standard user account (no admin privileges required) |
| 2. Craft Payload | Create a malicious serialized object containing arbitrary code |
| 3. Send Request | Submit an HTTP request to a vulnerable SharePoint application page |
| 4. Deserialization | SharePoint deserializes the object without proper validation, triggering malicious code execution |
| 5. RCE Achieved | Attacker can execute commands on the server under the SharePoint Service Account context |
Important Warning: Since this vulnerability only requires standard user authentication, attackers can use credentials stolen through phishing campaigns or other injection attacks to gain access and exploit this flaw immediately.
March 2026 Patch Tuesday Overview
CVE-2026-20963 was patched as part of Microsoft's March 2026 Patch Tuesday, which addressed a total of 84 vulnerabilities, including 8 rated Critical.
| Vulnerability Type | Count | Percentage |
|---|---|---|
| Elevation of Privilege | 46 | 55% |
| Remote Code Execution (RCE) | 16 | 19% |
| Information Disclosure | 10 | 12% |
| Denial of Service / Spoofing / Other | 12 | 14% |
| Total | 84 | 100% |
Notable Critical Vulnerabilities
| CVE | Product | CVSS | Type |
|---|---|---|---|
| CVE-2026-20963 | SharePoint Server | 8.8 | RCE (Actively Exploited) |
| CVE-2026-21536 | Microsoft Devices Pricing | 9.8 | RCE |
| CVE-2026-26110 | Microsoft Office | 8.4 | RCE |
| CVE-2026-26113 | Microsoft Office | 8.4 | RCE |
| CVE-2026-26144 | Microsoft Excel | 7.5 | Information Disclosure |
Who Is Affected?
This vulnerability affects all currently supported versions of Microsoft SharePoint Server:
- Microsoft SharePoint Server Subscription Edition — the latest subscription-based version
- Microsoft SharePoint Server 2019 — still under Mainstream Support
- Microsoft SharePoint Enterprise Server 2016 — still under Extended Support
Any organization running SharePoint Server on-premises for document management, intranet portals, or collaboration is at risk. This is particularly concerning for government agencies and large enterprises that rely on SharePoint as their primary document management system.
Note for SharePoint Online (Microsoft 365) Users
This vulnerability affects SharePoint Server on-premises only. SharePoint Online users through Microsoft 365 have already been patched by Microsoft. However, you should verify that no hybrid configurations connect to unpatched on-premises servers.
How to Check and Patch
1. Verify Your SharePoint Version
Open Central Administration > System Settings > Manage servers in this farm to check the Build Number, then compare it against the patched Build Number for your version.
2. Download and Install the Security Update
- Go to the Microsoft Update Catalog and search for the relevant KB for your SharePoint version
- Download the latest Cumulative Update (CU) or Security Update for March 2026
- Install it on every SharePoint Server in your farm
3. Run SharePoint Products Configuration Wizard
After installing the update, you must run the Configuration Wizard on every server in the farm to update the database schema.
4. Check Logs After Installation
- Review Windows Event Log for errors
- Review SharePoint ULS Logs for warnings or errors
- Test core SharePoint functionality to ensure everything works correctly
IT Admin Checklist
Use this checklist to ensure your organization has completed all necessary steps:
| # | Action Item | Status |
|---|---|---|
| 1 | Identify all SharePoint Servers in the farm and check Build Numbers | ☐ |
| 2 | Back up databases and configurations before applying the update | ☐ |
| 3 | Download the Security Update from Microsoft Update Catalog | ☐ |
| 4 | Install the update on every SharePoint Server in the farm | ☐ |
| 5 | Run SharePoint Products Configuration Wizard on all servers | ☐ |
| 6 | Review Event Logs and ULS Logs for errors | ☐ |
| 7 | Test core functionality: Document upload/download, Search, Workflows | ☐ |
| 8 | Review IIS logs for the past 30 days for suspicious requests to SharePoint application pages | ☐ |
| 9 | Review Audit Logs for anomalous user authentication patterns | ☐ |
| 10 | Report patch status to management and relevant stakeholders | ☐ |
Why Patch Management Matters
The case of CVE-2026-20963 underscores that patch management is not something that can be deferred indefinitely. When a vulnerability is added to the KEV Catalog, it means there is clear evidence that attackers are actively exploiting it right now.
This situation parallels the recent SAP Security Patches for March 2026, which also addressed multiple critical vulnerabilities. It demonstrates that every enterprise software vendor faces ongoing security challenges, and organizations must maintain robust patch management processes.
Patch Management and ERP Security
Organizations running ERP systems should have a clear Patch Management Policy, as ERP systems store the most sensitive data in the organization — from financial records and customer data to employee information. If related servers are compromised, the impact can be devastating.
| Aspect | Without Patch Management | With Good Patch Management |
|---|---|---|
| Response Time | Weeks to months | Within 24-72 hours for Critical patches |
| Pre-deployment Testing | None or ad hoc | Dedicated test environment with rollback plan |
| Tracking | No visibility into patch status | Dashboard tracking status across all servers |
| Outcome | High risk of exploitation | Significantly reduced risk |
Saeree ERP and Security
Saeree ERP is designed with security as a core principle — featuring comprehensive Audit Trail logging for every transaction, granular Role-Based Access Control, and secure API design to prevent unauthorized data access. Our dedicated security team maintains continuous patch management to keep your systems protected.
"Actively exploited vulnerabilities don't wait for you to be ready — a single day of delayed patching could mean your entire organization's data is compromised. Every organization needs a Patch Management process that can be activated immediately."
- Saeree ERP Team
Conclusion
CVE-2026-20963 is a clear reminder that security vulnerabilities are not theoretical risks — even enterprise-grade software like Microsoft SharePoint can be actively exploited. Here is what you need to do:
| Action | Why It Matters |
|---|---|
| Patch SharePoint Server immediately | The vulnerability is being actively exploited — every day unpatched increases risk |
| Review historical logs | Your system may have been compromised before the patch was available |
| Establish a Patch Management Policy | Prevent the same problem from recurring with future vulnerabilities |
| Monitor Patch Tuesday every month | Early awareness enables faster response and better protection |
If your organization is looking for an ERP system built with security by design, contact the Saeree ERP team to discuss the best approach for your organization.
References
- CISA Known Exploited Vulnerabilities Catalog
- NVD - CVE-2026-20963
- BleepingComputer - Critical Microsoft SharePoint flaw now exploited in attacks
- Help Net Security - CISA warns of active exploitation of Microsoft SharePoint vulnerability
- SecurityWeek - CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability
