CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added CVE-2026-20963, a Microsoft SharePoint Deserialization of Untrusted Data Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation of this flaw as part of their vulnerability management practices to reduce exposure to cyberattacks.
Authors: CISA
Source:
CISA
Key Takeaways
- CISA has added CVE-2026-20963 to the Known Exploited Vulnerabilities (KEV) Catalog.
- The vulnerability is a Deserialization of Untrusted Data flaw affecting Microsoft SharePoint.
- There is evidence of active exploitation of this vulnerability in the wild.
- Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability per BOD 22-01.
- All organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
Affected Systems
- Microsoft SharePoint
Vulnerabilities (CVEs)
- CVE-2026-20963
Attack Chain
Malicious cyber actors exploit CVE-2026-20963, a deserialization of untrusted data vulnerability in Microsoft SharePoint. While specific attack chain details are not provided in the alert, this type of vulnerability typically allows attackers to pass malicious serialized objects to the application, which are then executed upon deserialization, potentially leading to remote code execution or system compromise.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the CISA alert.
Detection Engineering Assessment
EDR Visibility: Medium — EDR solutions can typically detect post-exploitation activity, such as anomalous child processes spawning from the SharePoint worker process (w3wp.exe), following a successful deserialization exploit. Network Visibility: Medium — Network intrusion detection systems and Web Application Firewalls (WAFs) may be able to identify malicious serialized payloads within HTTP requests targeting SharePoint endpoints. Detection Difficulty: Moderate — Detecting the exploit payload itself can be challenging if the serialized data is obfuscated or encrypted, but the resulting post-exploitation behavior is usually highly anomalous and detectable.
Required Log Sources
- Web Server Logs
- EDR Process Telemetry
- SharePoint ULS Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for anomalous child processes (e.g., cmd.exe, powershell.exe) spawned by the SharePoint worker process (w3wp.exe), which may indicate successful remote code execution via deserialization. | Process Creation Events (e.g., Windows Event ID 4688, Sysmon Event ID 1) | Execution | Low |
Control Gaps
- Lack of timely patching for public-facing SharePoint servers
- Inadequate Web Application Firewall (WAF) rules for detecting deserialization attacks
Key Behavioral Indicators
- w3wp.exe spawning unexpected command-line interpreters or scripting engines
- Anomalous serialized payloads in HTTP POST requests to SharePoint endpoints
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Apply the vendor-supplied patch or remediation for CVE-2026-20963 to all Microsoft SharePoint servers immediately.
Infrastructure Hardening
- Ensure SharePoint servers are not exposed to the public internet unless absolutely necessary.
- Deploy and configure Web Application Firewalls (WAF) to inspect traffic for malicious serialized objects.
User Protection
- N/A
Security Awareness
- Incorporate CISA KEV catalog monitoring into the organization's standard vulnerability management and patching practices.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application