CVE-2026-20943: Microsoft Office Click-To-Run Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jan

Released

2026-01-13

Last Updated

2026-01-20

EPSS Score

0.05% (percentile: 14.7%)

Description

Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. Are there additional steps I need to take to be protected from this vulnerability? Customers should download the latest Office Deployment Tool (ODT) and ensure that this version, or any newer version, is used for all future deployments to remain protected against CVE-2026-20943. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A user would need to be tricked into opening a folder that contains a specially crafted file. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (6)

Microsoft Office

• Microsoft SharePoint Server 2019
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Server Subscription Edition
• Microsoft Office Deployment Tool

Security Updates (4)

• 5002825
• 5002826
• 5002828
• 5002822

Acknowledgments

Kazuma Matsumoto, Security Researcher at GMO Cybersecurity by IERAE, Inc.

Revision History

• 2026-01-13: Information published.
• 2026-01-20: Corrected CVE title. This is an informational change only.
• 2026-01-20: Updated FAQ information. This is an informational change only.