{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20943", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-04T20:04:16.338Z", "datePublished": "2026-01-13T17:56:45.424Z", "dateUpdated": "2026-04-01T13:48:55.072Z"}, "containers": {"cna": {"title": "Microsoft Office Click-To-Run Remote Code Execution Vulnerability", "datePublic": "2026-01-13T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.10417.20083"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.5535.1000"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.5535.1001"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.19127.20442"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office:*:*:Deployment_Tool:*:*:*:*:*", "versionStartIncluding": "1.0", "versionEndExcluding": "16.0.19426.20170"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Office 2016", "platforms": ["32-bit Systems", "x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.5535.1000", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Office Deployment Tool", "versions": [{"version": "1.0", "lessThan": "16.0.19426.20170", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SharePoint Enterprise Server 2016", "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.5535.1001", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SharePoint Server 2019", "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.10417.20083", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SharePoint Server Subscription Edition", "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.19127.20442", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-426: Untrusted Search Path", "lang": "en-US", "type": "CWE", "cweId": "CWE-426"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:48:55.072Z"}, "references": [{"name": "Microsoft Office Click-To-Run Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20943"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:56:10.239259Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:27.987Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:56:10.239259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:32:50.456Z"}}], "cna": {"title": "Microsoft Office Click-To-Run Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Office 2016", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.5535.1000", "versionType": "custom"}], "platforms": ["32-bit Systems", "x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft Office Deployment Tool", "versions": [{"status": "affected", "version": "1.0", "lessThan": "16.0.19426.20170", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft SharePoint Enterprise Server 2016", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.5535.1001", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SharePoint Server 2019", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.10417.20083", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SharePoint Server Subscription Edition", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.19127.20442", "versionType": "custom"}], "platforms": ["x64-based Systems"]}], "datePublic": "2026-01-13T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20943", "name": "Microsoft Office Click-To-Run Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "16.0.10417.20083", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*", "vulnerable": true, "versionEndExcluding": "16.0.5535.1000", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "versionEndExcluding": "16.0.5535.1001", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*", "vulnerable": true, "versionEndExcluding": "16.0.19127.20442", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:microsoft:office:*:*:Deployment_Tool:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "16.0.19426.20170", "versionStartIncluding": "1.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:48:55.072Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20943", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:48:55.072Z", "dateReserved": "2025-12-04T20:04:16.338Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-13T17:56:45.424Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*", "matchCriteriaId": "72324216-4EB3-4243-A007-FEF3133C7DF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*", "matchCriteriaId": "0FBB0E61-7997-4F26-9C07-54912D3F1C10", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:office_deployment_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D4CAEAF-A5AF-46D2-9A2B-8B04CC120B04", "versionEndExcluding": "16.0.19426.20170", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*", "matchCriteriaId": "FB9ECA81-C1E2-4B02-A45C-0E5664E3C9B9", "versionEndExcluding": "16.0.19127.20442", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F815EF1D-7B60-47BE-9AC2-2548F99F10E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally."}], "id": "CVE-2026-20943", "lastModified": "2026-01-16T16:14:34.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-01-13T18:16:21.687", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20943"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T18:15:52.844947+00:00", "value": {"mitigation_remediation": ["Install the latest security update for Microsoft Office 2016, the Office Deployment Tool, and all supported SharePoint Server releases from Microsoft Update.", "Review and reconfigure the system PATH and Office installation directories to ensure that only trusted, fully-qualified paths are searched; remove any user\u2011writable directories that appear earlier in the search order.", "Apply file\u2011system permissions that restrict write access to the Office installation directories and any directories that the system references during Office startup, allowing modification only for privileged administrators."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected Microsoft Office 2016 on both 32\u2011bit (x86) and 64\u2011bit (x64) architectures, the Office Deployment Tool, and Microsoft SharePoint Server 2016 Enterprise, SharePoint Server 2019, and SharePoint Server Subscription Edition. All versions that rely on the Office installation directory and system path are susceptible if the affected paths are not secured.", "description_and_impact": "Untrusted search path flaw in Microsoft Office allows an attacker who can place a malicious executable in a directory that appears before the legitimate Office binaries in the system\u2019s PATH to have that executable run under the context of the Office application. This results in arbitrary code execution locally on the machine, using the privileges of the account that launches the Office program. The description does not claim elevation beyond local privileges or data exfiltration.", "risk_and_exploitability": "With a CVSS v3.1 score of 7.0 the vulnerability is classified as medium\u2011to\u2011high severity. The EPSS score of less than 1\u202f% indicates a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local; an attacker must have write access to a directory that is searched before the Office binaries or be able to manipulate the system path. The limited exploitation requirements reduce overall risk, but the potential for arbitrary code execution makes prompt remediation important."}}}}, "created": "2026-04-16T18:30:10.539800+00:00", "updated": "2026-04-16T18:30:10.539813+00:00", "vendors": []}