prioritization

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability. This vulnerability was fixed in the January MSPT. At the time of the MSPT release on January 13, VM vendors did not highlight this vulnerability in their reviews, and Microsoft reported no evidence of exploitation in the wild. The CVSS vector was initially rated as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8). The "PR:L" indicates that authentication was required to exploit the vulnerability. However, on March 17, Microsoft updated both the vulnerability description and its CVSS vector. The updated CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The "PR:N" indicates that authentication is not required for exploitation.

Current vulnerability description:

"Deserialization of untrusted data (CWE-502) in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server."

👾 On March 18, the vulnerability was added to the CISA KEV catalog. No detailed information about exploitation is available yet, and there are currently no public exploits. However, in terms of potential impact, this vulnerability may be comparable to last year's RCE "ToolShell" (CVE-2025-49704).

The situation surrounding this vulnerability demonstrates that the criticality of any vulnerability cannot be determined once and for all. Indicators of exploitation in the wild or public exploits may emerge at any time, and the vendor may also revise the vulnerability description and CVSS metrics for various reasons. Therefore, all vulnerabilities detected within an infrastructure must be continuously monitored (either internally or via a VM vendor), with their criticality regularly reassessed and remediation deadlines adjusted accordingly.

Given that the status of any specific vulnerability may change at any time, it is not advisable to dismiss vulnerabilities as definitively non-critical or non-exploitable. A responsible approach assumes that all detected vulnerabilities require remediation, prioritized according to their continuously updated risk levels.

I also made a meme with the cool Yusuf Dikeç. 😅

🔹 Every vulnerability existing in the infrastructure must be detected.
🔹 For each detected vulnerability, a patching task must be created.

This is the base. And when they tell you that you don't have to do this because there is some super-modern vulnerability assessment and prioritization tool, you should be skeptical. 😉

На русском

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization.

🔹 Kir Ermakov from Vulners spoke about the importance of prioritizing vulnerabilities (especially for MSSP companies, since they are responsible for customer security) and how it can be improved using dynamically updated AI Score v2. I really liked his phrase: "if you don’t know your assets very well, turn off the webinar and go do Asset Management". Asset Management is the base. 👍

🔹 Yury Sergeev from RST Cloud told how, when prioritizing vulnerabilities, take into account data on the exploitation of vulnerabilities in real attacks (in your location, in your industry, for your attacker profile). He provided a formula and demonstrated how taking these factors into account affects prioritization. I liked his regreSSHion example: there is a lot of hype, but the attack is very noticeable and takes a lot of time, so the exploitation is unlikely to be widespread.

На русском

An idea worth a million Hamster coins. 🐹😅 Website/app to tap on CVEs. But it will make sense to tap not on all CVEs, but only on those that should have a confirmed exploit or sign of exploitation in the wild within the next week.

🪙 When such a sign or exploit does appear, distribute coins to those who have been tapping on this vulnerability for the last week. In proportion to the number of taps, the criticality of the vulnerability, etc.

📈 And based on the analysis of these taps, it will be possible to make forecasts on the exploitability of vulnerabilities. With the help of AI, of course.

I am sure that this will work much better than EPSS and social network fortune tellers. 😅

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: prioritization

About Remote Code Execution - Microsoft SharePoint (CVE-2026-20963) vulnerability

I also made a meme with the cool Yusuf Dikeç

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization

An idea worth a million Hamster coins