critical advisory March 20, 2026

Active Exploitation of SharePoint Deserialization Vulnerability (CVE-2026-20963)

CVE-2026-20963, a SharePoint deserialization vulnerability, is under active exploitation and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching and auditing of potentially compromised data.

On March 18, 2026, CISA added CVE-2026-20963, a SharePoint deserialization vulnerability, to its Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild. This vulnerability allows attackers to execute arbitrary code on affected SharePoint servers through the deserialization of untrusted data. Organizations utilizing SharePoint are urged to apply the necessary patches promptly. Beyond patching, it’s crucial to conduct a thorough audit of SharePoint assets, particularly…

Detection coverage 2

Detect Suspicious Deserialization Activity in SharePoint (Generic)

high

Detects potential exploitation attempts of deserialization vulnerabilities in SharePoint by monitoring for specific process creation events associated with deserialization processes.

sigma tactics: initial_access techniques: T1190 sources: process_creation, windows

Detect Outbound Network Connection from SharePoint w3wp.exe

medium

Detects outbound network connections from SharePoint's w3wp.exe process that are not typically associated with normal SharePoint operations, potentially indicating data exfiltration after successful exploitation.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

url