{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2026-004.pdf"
    },
    "title": "Critical Vulnerability in SharePoint Exploited",
    "serial_number": "2026-004",
    "publish_date": "25-03-2026 07:51:39",
    "description": "On 17 March 2026, Microsoft updated one of its January 2026 security advisories related to a remote code execution vulnerability in Microsoft SharePoint. Specifically, Microsoft raised the CVSS score and changed the FAQ section to indicate that the vulnerability could be exploited by an unauthenticated attacker. This vulnerability was added in the CISA's Known Exploited Vulnerabilities (KEV) catalogue on 18 March 2026.<br>\nAdditionally, three further RCE flaws affecting Microsoft SharePoint were addressed in the March 2026 release.<br>\nCERT-EU strongly recommends updating SharePoint servers as soon as possible, prioritising internet-facing assets. CERT-EU also encourages IT administrators to take necessary remediation actions.<br>\n",
    "url_title": "2026-004",
    "content_markdown": "---    \ntitle: 'Critical Vulnerability in\u00a0SharePoint\u00a0Exploited'\nnumber: '2026-004'\nversion: '1.0'\noriginal_date: '2026-03-17'\ndate: '2026-03-25'\n---\n\n_History:_\n\n* _25/03/2026 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 17 March 2026, Microsoft updated one of its January 2026 security advisories related to a remote code execution vulnerability in Microsoft SharePoint [1]. Specifically, Microsoft raised the CVSS score and changed the FAQ section to indicate that the vulnerability could be exploited by an unauthenticated attacker. This vulnerability was added in the CISA's Known Exploited Vulnerabilities (KEV) catalogue on 18 March 2026 [2].\n\nAdditionally, three further RCE flaws affecting Microsoft SharePoint were addressed in the March 2026 release [3,4,5].\n\nCERT-EU strongly recommends updating SharePoint servers as soon as possible, prioritising internet-facing assets. CERT-EU also encourages IT administrators to take necessary remediation actions.\n\n# Technical Details\n\nThe vulnerability **CVE-2026-20963**, with a CVSS score of 9.8, is an unauthenticated remote code execution vulnerability in Microsoft SharePoint. The flaw is due to deserialisation of untrusted data [1].\n\n# Affected Products\n\nThe vulnerability affects Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019 and Microsoft SharePoint Enterprise Server 2016.\n\nAdditional information is available in the vendor's advisories [1,3,4,5].\n\n# Recommendations\n\nCERT-EU strongly recommends updating SharePoint servers as soon as possible, prioritising internet-facing assets.\n\nWhile no additional information is available and considering the Sharepoint exploitation campaign in 2025 for which we have issued a security advisory 2025-027 [9], CERT-EU recommends IT administrators, as a precautionary measure, to apply the same remediation steps once the concerned servers are up-to-date, namely:\n\n- Enable the Antimalware Scan Interface (AMSI) in enable Full Mode [7].\n- Deploy an EDR solution.\n- Rotate SharePoint Server ASP.NET machine keys [8] and restart IIS using `iisreset.exe`.\n\nIt is also advised to conduct a compromise assessment on internet-facing assets.\n\n# References\n\n[1] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963>\n\n[2] <https://cybersecuritynews.com/microsoft-sharepoint-vulnerability-exploited/>\n\n[3] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26106>\n\n[4] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113>\n\n[5] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26114>\n\n[6] <https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/>\n\n[7] <https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration#configure-amsi-via-user-interface>\n\n[8] <https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/improved-asp-net-view-state-security-key-management>\n\n[9] <https://www.cert.europa.eu/publications/security-advisories/2025-027/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>25/03/2026 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 17 March 2026, Microsoft updated one of its January 2026 security advisories related to a remote code execution vulnerability in Microsoft SharePoint [1]. Specifically, Microsoft raised the CVSS score and changed the FAQ section to indicate that the vulnerability could be exploited by an unauthenticated attacker. This vulnerability was added in the CISA's Known Exploited Vulnerabilities (KEV) catalogue on 18 March 2026 [2].</p><p>Additionally, three further RCE flaws affecting Microsoft SharePoint were addressed in the March 2026 release [3,4,5].</p><p>CERT-EU strongly recommends updating SharePoint servers as soon as possible, prioritising internet-facing assets. CERT-EU also encourages IT administrators to take necessary remediation actions.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2026-20963</strong>, with a CVSS score of 9.8, is an unauthenticated remote code execution vulnerability in Microsoft SharePoint. The flaw is due to deserialisation of untrusted data [1].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability affects Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019 and Microsoft SharePoint Enterprise Server 2016.</p><p>Additional information is available in the vendor's advisories [1,3,4,5].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends updating SharePoint servers as soon as possible, prioritising internet-facing assets.</p><p>While no additional information is available and considering the Sharepoint exploitation campaign in 2025 for which we have issued a security advisory 2025-027 [9], CERT-EU recommends IT administrators, as a precautionary measure, to apply the same remediation steps once the concerned servers are up-to-date, namely:</p><ul><li>Enable the Antimalware Scan Interface (AMSI) in enable Full Mode [7].</li><li>Deploy an EDR solution.</li><li>Rotate SharePoint Server ASP.NET machine keys [8] and restart IIS using <code>iisreset.exe</code>.</li></ul><p>It is also advised to conduct a compromise assessment on internet-facing assets.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cybersecuritynews.com/microsoft-sharepoint-vulnerability-exploited/\">https://cybersecuritynews.com/microsoft-sharepoint-vulnerability-exploited/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26106\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26106</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26114\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26114</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\">https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration#configure-amsi-via-user-interface\">https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration#configure-amsi-via-user-interface</a></p><p>[8] <a rel=\"noopener\" target=\"_blank\" href=\"https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/improved-asp-net-view-state-security-key-management\">https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/improved-asp-net-view-state-security-key-management</a></p><p>[9] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cert.europa.eu/publications/security-advisories/2025-027/\">https://www.cert.europa.eu/publications/security-advisories/2025-027/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}