Security Advisory 2026-004

Key Takeaways

• Microsoft updated its advisory for CVE-2026-20963, a critical unauthenticated RCE in SharePoint with a CVSS score of 9.8.
• The vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalogue.
• Three additional SharePoint RCE flaws (CVE-2026-26106, CVE-2026-26113, CVE-2026-26114) were addressed in the March 2026 release.
• Immediate patching of internet-facing assets is strongly recommended.
• Administrators should rotate ASP.NET machine keys, enable AMSI in Full Mode, and conduct compromise assessments.

Affected Systems

• Microsoft SharePoint Server Subscription Edition
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Enterprise Server 2016

Vulnerabilities (CVEs)

• CVE-2026-20963
• CVE-2026-26106
• CVE-2026-26113
• CVE-2026-26114

Attack Chain

Attackers exploit an unauthenticated remote code execution vulnerability (CVE-2026-20963) in public-facing Microsoft SharePoint servers. The exploit leverages a flaw in how SharePoint handles the deserialization of untrusted data. Upon successful exploitation, the attacker can execute arbitrary code on the underlying server, potentially leading to full system compromise and unauthorized access to the network.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions can detect post-exploitation activities, such as suspicious child processes spawning from SharePoint worker processes (w3wp.exe), but may not natively alert on the initial deserialization payload without specific signatures. Network Visibility: Medium — Network IDS and WAFs can potentially intercept malicious deserialization payloads targeting SharePoint endpoints if updated signatures for CVE-2026-20963 are deployed. Detection Difficulty: Moderate — Detecting the initial exploit requires deep packet inspection or WAF rules tuned for the specific deserialization payload. However, detecting the subsequent post-exploitation behavior (e.g., web shells, command execution) is standard for mature SOCs.

Required Log Sources

• IIS Access Logs
• EDR Process Telemetry
• Windows Event Logs (Application/System)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected or suspicious child processes (e.g., cmd.exe, powershell.exe) spawning from IIS worker processes (w3wp.exe) associated with SharePoint application pools.	EDR Process Creation Events	Execution	Low
Monitor for the creation of unexpected script files (e.g., .aspx) in SharePoint web root directories, indicating potential web shell deployment.	EDR File Creation Events	Persistence	Medium

Control Gaps

• Unpatched internet-facing SharePoint servers
• Lack of AMSI integration in SharePoint environments

Key Behavioral Indicators

• w3wp.exe spawning command interpreters
• Anomalous HTTP POST requests to vulnerable SharePoint endpoints

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Update Microsoft SharePoint servers as soon as possible, prioritizing internet-facing assets.
• Rotate SharePoint Server ASP.NET machine keys and restart IIS using iisreset.exe.

Infrastructure Hardening

• Enable the Antimalware Scan Interface (AMSI) in Full Mode for SharePoint.
• Deploy an EDR solution on all SharePoint servers.

User Protection

• N/A

Security Awareness

• Conduct a compromise assessment on internet-facing assets to identify any potential prior exploitation.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter

Additional IOCs

• Command Lines:
  • Purpose: Restart IIS services after rotating SharePoint Server ASP.NET machine keys as part of remediation. | Tools: iisreset.exe | Stage: Remediation | iisreset.exe