Share via

Sharepoint Sever SE update issue

Pine Littman 140 Reputation points
2026-03-23T12:21:13.38+00:00

I’m reaching out because I’m genuinely concerned about the active exploitation of CVE-2026-20963, which is hitting our SharePoint Server SE. It’s a 9.8 CVSS deserialization flaw that allows unauthenticated attackers to execute code remotely without any user interaction, and seeing it on the CISA KEV list with such a tight deadline is a massive red flag. 

We need to move fast on this to make sure we aren't the next target, especially since this isn't just a theoretical bug but something actually being used in the wild right now.

I want to ensure we have the exact right packages in hand so we can patch this before our next security audit.

Microsoft 365 and Office | SharePoint Server | For business
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michelle-N 14,310 Reputation points Microsoft External Staff Moderator
    2026-03-23T13:30:42.3933333+00:00

    Hi @Pine Littman

    I understand how concerning this situation is, especially when dealing with a high-severity vulnerability listed on the CISA KEV list with an urgent deadline. I appreciate you bringing this to our attention with such a high level of technical detail and urgency; your proactive approach is essential for maintaining a secure environment.

    For SharePoint Server 2019, Microsoft has released a security update that addresses CVE‑2026‑20963 as part of the January 13, 2026 security update (KB5002825). This update is available through Microsoft Update, the Microsoft Update Catalog, and the Microsoft Download Center

    Please note that this is a user-to-user support forum. Moderators and contributors including Microsoft employees participating externally do not have the permissions or resources to directly intervene in Microsoft product features or access internal backend systems. Our role here is focused on sharing technical guidance based on publicly available documentation and practical experience to assist you in your resolution efforts.

    I am very grateful for you sharing this urgent security alert. I will continue to monitor official channels for any additional technical guidance or updated packages regarding this vulnerability.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

    1 person found this answer helpful.
  2. Q&A Assist
    2026-03-23T12:21:43.6+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    CVE-2026-20963 is not present in the provided material, and there is no specific SharePoint Server Subscription Edition (SE) guidance for that identifier in the context.

    The context does include an example of how SharePoint SE remote code execution (RCE) vulnerabilities are remediated via security updates. For example, KB5002271 is a security update for SharePoint Server Subscription Edition that addresses multiple SharePoint RCE vulnerabilities (CVE-2022-37961, CVE-2022-38008, CVE-2022-38009, CVE-2022-35823). That update:

    • Applies specifically to SharePoint Server Subscription Edition.
    • Is delivered as a security update package (build 16.0.15601.20052).
    • Requires that the release version of SharePoint Server Subscription Edition already be installed.

    Based on that pattern, the concrete, supported actions from the context are:

    1. Identify and install the latest SharePoint Server Subscription Edition security update that corresponds to the CVE in question (as with KB5002271 for the 2022 RCE CVEs). This is the mechanism Microsoft uses to close RCE and deserialization flaws in SharePoint SE.
    2. Ensure the environment is on the release version of SharePoint Server Subscription Edition before applying the relevant security update package.
    3. For any SharePoint RCE vulnerability that is actively exploited, prioritize immediate deployment of the corresponding SharePoint SE security update across all farm servers, followed by a configuration and permissions review.

    Because the context does not list CVE-2026-20963 specifically, it only supports the general remediation model: apply the SharePoint SE security update that Microsoft publishes for that CVE as soon as possible, ensuring the farm is on a supported baseline and fully patched.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.