runZero to join Dragos, creating an industry-transforming security platform backed by $4B Accenture investment. More

🗓️ Live on July 29: Securing the modern IT/OT attack surface Register
runZero CAASM

On This Page:

  1. Latest Microsoft SharePoint Server vulnerability: CVE-2026-20963
  2. What is the impact?
  3. Are any updates or workarounds available?
  4. How do I find Microsoft SharePoint Server installations with runZero?
  5. July 2025 (Multiple CVEs)
  6. What is the impact?
  7. Are any updates or workarounds available?
  8. How do I find Microsoft SharePoint Server installations with runZero?

How to find Microsoft SharePoint Server installations on your network

Matthew Kienow
Tom Sellers
|
Updated

Latest Microsoft SharePoint Server vulnerability: CVE-2026-20963 #

On January 13, 2026, Microsoft disclosed a remote code execution vulnerability, designated CVE-2026-20963, in Microsoft SharePoint. The vulnerability is due to deserialization of untrusted data in Microsoft SharePoint which allows a remote, unauthenticated attacker attacker to execute code over a network.

While initially released with a CVSS score of 8.8, the score was updated to 9.8 on March 17, 2026.

This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 18, 2026.

    The following versions are affected:

    • SharePoint Enterprise Server 2016 before version 16.0.5535.1001
    • SharePoint Server 2019 before version 16.0.10417.20083
    • SharePoint Server Subscription Edition before version 16.0.19127.20442

        What is the impact? #

        Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

        Are any updates or workarounds available? #

        Upgrade affected versions of SharePoint Server to the latest patched version.

        • SharePoint Enterprise Server 2016 version 16.0.5535.1001 or later

        • SharePoint Server 2019 version 16.0.10417.20083 or later

        • SharePoint Server Subscription Edition version 16.0.19127.20442 or later

          How do I find Microsoft SharePoint Server installations with runZero? #

          From the Software Inventory, use the following query to locate potentially impacted assets:

          vendor:=Microsoft AND (
  (product:="SharePoint Server 2016" AND (version:>=16.0 AND version:<16.0.5535.1001)) OR
  (product:="SharePoint Server 2019" AND (version:>=16.0 AND version:<16.0.10417.20083)) OR
  (product:="SharePoint Server Subscription Edition" AND (version:>=16.0 AND version:<16.0.19127.20442))
  ) AND NOT version:=""

          July 2025 (Multiple CVEs) #

          Microsoft has disclosed two vulnerabilities in certain versions of on-premises Microsoft SharePoint Server:

          • SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
          • SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.

          The following versions are affected

          • Microsoft SharePoint Enterprise Server 2016 versions currently unknown
          • Microsoft SharePoint Server 2019 versions currently unknown
          • Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508

              What is the impact? #

              Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

              Are any updates or workarounds available? #

              As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.

              • Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
              • Rotate SharePoint Server ASP.NET machine keys.

              • Upgrade affected systems to the new versions when a patch is available.

                How do I find Microsoft SharePoint Server installations with runZero? #

                From the Software Inventory, use the following query to locate potentially impacted assets:

                vendor:="Microsoft" AND product:="SharePoint Server%"

                Written by Matthew Kienow

                Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

                More about Matthew Kienow

                Written by Tom Sellers

                Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

                More about Tom Sellers
                Subscribe Now

                Get the latest news and expert insights delivered in your inbox.

                Welcome to the club! Your subscription to our newsletter is successful.

                Explore more runZero

                Product
                Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
                When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
                Read More
                Product Videos
                runZero 5.0: Platform Demo
                With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
                Watch Now
                runZero Perspective
                BOD 26-04: A new era of prioritized remediation
                A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
                Read More
                runZero Perspective
                Dawn of the apex agentic adversary
                When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
                Read More
                Webcasts
                Defending in the shadow era: when the CVE feed goes dark
                HD Moore walks through the three eras of vulnerability management: the predictable cycles era, the triage ara of AI-scale discovery, and now the...
                Watch Now
                Webcasts
                runZero Hour, Ep. 31: The New Rules of Risk: EPSS v5 and Agentic Adversaries
                In this episode, learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic...
                Watch Now
                Webcasts
                Beyond the Zero-Day: Mapping the network attackers actually see
                Breaches are inevitable. Learn from HD Moore how attackers exploit the seams between IT, IoT, and OT networks — and how to fix the segmentation...
                Watch Now
                Podcasts
                Risky Biz Interview: Navigating the AI vibe shift with HD Moore
                runZero Founder and CEO HD Moore drops by in this week's Risky Biz sponsor interview to talk about the concerning AI vibe shift and what to do...
                Watch Now

                See Results in Minutes

                See & secure your total attack surface. Even the unknowns & unmanageable.

                Try runZero for Free
                runZero CAASM
                © Copyright 2026 runZero, Inc. All Rights Reserved