CVE-2026-20963: Remote Code Execution via Insecure Deserialization in Microsoft SharePoint

CVE-2026-20963 is a remote code execution vulnerability in Microsoft SharePoint Server. The flaw resides in the handling of serialized objects within ASP.NET ViewState and other serialized data streams utilized by SharePoint application pages. These pages are typically located under the /_layouts/ directory of the application server. The vulnerability is classified as CWE-502, Deserialization of Untrusted Data.

An attacker with standard user privileges can exploit this vulnerability by submitting a crafted request containing a malicious serialized object. When the SharePoint server processes this request, the application reconstructs the object graph without verifying the object types. This reconstruction process triggers the execution of embedded methods within the deserialized objects. The resulting code execution occurs within the security context of the SharePoint web application process.

The vulnerability exposes affected servers to complete system compromise if the service account holds elevated privileges. This vulnerability was added to the CISA Known Exploited Vulnerabilities catalog on March 18, 2026. The inclusion indicates active exploitation by threat actors in real-world environments. Organizations must prioritize applying the official Microsoft updates to mitigate this risk.

The root cause of CVE-2026-20963 is the absence of adequate type validation during the deserialization of user-supplied data. SharePoint relies heavily on serialization to maintain state across HTTP requests, frequently utilizing mechanisms like ASP.NET ViewState. When a client interacts with the server, state data is serialized, sent to the client, and returned in subsequent requests.

The vulnerability manifests when the server-side deserialization logic processes this incoming data using unsafe formatters. Formatters such as BinaryFormatter or ObjectStateFormatter are known to be dangerous if applied to untrusted data without a stringent type-filtering surrogate. Without these filters, the formatter will instantiate any class available in the application's application domain if specified in the serialized stream.

Attackers construct specific gadget chains to exploit this behavior. A gadget chain is a sequence of classes and methods that, when instantiated and invoked during deserialization, execute arbitrary commands. Tools such as Ysoserial.net generate these payloads by leveraging classes already present in the .NET framework or SharePoint's internal libraries.

The vulnerability exists in the routine responsible for parsing state parameters from HTTP POST requests. The vulnerable implementation reads a Base64-encoded string from the request and passes it directly to an unconfigured deserializer. The application implicitly trusts the incoming data, allowing an attacker to specify arbitrary types in the payload.

// Vulnerable Implementation Pattern
protected override void LoadViewState(object savedState) {
    string base64State = Request.Params["__VIEWSTATE"];
    ObjectStateFormatter formatter = new ObjectStateFormatter();
    // Unsafe deserialization occurs here
    object state = formatter.Deserialize(base64State);
    base.LoadViewState(state);
}

The patched implementation introduces cryptographic integrity checks or utilizes strict type bounding to verify the origin and composition of the serialized data before deserialization occurs. Microsoft typically addresses these flaws by enforcing strict MAC validation during the ViewState parsing phase. This fix ensures that modified or externally generated serialized objects are rejected before the deserialization engine processes the type graph.

// Patched Implementation Pattern
protected override void LoadViewState(object savedState) {
    string base64State = Request.Params["__VIEWSTATE"];
    // Ensure MAC validation is strictly enforced
    if (!VerifyMac(base64State)) {
        throw new CryptographicException("Invalid ViewState MAC");
    }
    ObjectStateFormatter formatter = new ObjectStateFormatter();
    // Deserialization only proceeds if integrity is cryptographically verified
    object state = formatter.Deserialize(base64State);
    base.LoadViewState(state);
}

The following diagram illustrates the differing outcomes between the vulnerable and patched validation paths when processing an incoming POST request containing a deserialization payload.

Exploitation requires the attacker to hold standard user privileges on the target SharePoint site. This prerequisite aligns with the CVSS Privileges Required metric of Low (PR:L). The attacker authenticates to the application to obtain a valid session and access the vulnerable endpoints.

The attacker navigates to an application page under the /_layouts/ directory that processes serialized state data. They capture a legitimate request to this endpoint to map the expected parameters and application state. Using a tool like Ysoserial.net, the attacker generates a serialized payload containing a gadget chain designed to execute a specific operating system command.

The attacker base64-encodes the payload and embeds it into the __VIEWSTATE parameter or a vulnerable custom parameter within a POST request. The attacker submits this manipulated request to the target server. The server processes the request, deserializes the payload, and triggers the gadget chain execution.

Successful exploitation results in remote code execution on the target SharePoint server. The attacker gains the ability to execute arbitrary commands within the security context of the SharePoint application pool process. This process is typically w3wp.exe running as the SharePoint service account, which may possess extensive local network permissions.

The impact spans confidentiality, integrity, and availability, resulting in a CVSS Base Score of 8.8. The attacker obtains full read access to sensitive data stored on the server or accessible via the compromised service account. They can modify system files, alter SharePoint configurations, or disrupt the service entirely.

Threat intelligence indicates this vulnerability is actively exploited in the wild. Historically, actors associated with ToolShell campaigns have utilized similar SharePoint deserialization flaws. These vulnerabilities are frequently leveraged to establish initial network footholds and facilitate subsequent lateral movement into deeper infrastructure segments.

The primary remediation strategy is the immediate application of the official security updates provided by Microsoft. Administrators managing Microsoft SharePoint Enterprise Server 2016 must install update KB5002828 to reach version 16.0.5535.1001 or later. Organizations running Microsoft SharePoint Server 2019 are required to deploy update KB5002825 to upgrade to version 16.0.10417.20083 or later.

Environments utilizing Microsoft SharePoint Server Subscription Edition must apply the corresponding update to achieve version 16.0.19127.20442. Applying these patches modifies the deserialization routines to safely handle user-supplied state data. CISA has mandated that all federal civilian executive branch agencies apply these updates by March 21, 2026.

In situations where immediate patching is unfeasible, administrators should enforce the principle of least privilege for the SharePoint service accounts. Network segmentation limits the potential for lateral movement following a successful compromise. Furthermore, security teams can deploy Web Application Firewall (WAF) rules designed to detect and block common .NET deserialization payload signatures within HTTP POST requests.