Microsoft SharePoint CVE-2026-20963 Vulnerability Under Active Exploitation
US Agencies Warned of Actively Exploited Microsoft SharePoint Vulnerability
A critical remote code execution (RCE) vulnerability in Microsoft SharePoint, identified as CVE-2026-20963, has been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This move comes after confirmation of active exploitation by attackers.
Affects Multiple Versions of Microsoft SharePoint
CVE-2026-20963 affects multiple versions of Microsoft SharePoint, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The vulnerability arises from the deserialization of untrusted data, allowing an unauthorized attacker to achieve RCE through a relatively simple attack. In a network-based attack, an unauthenticated attacker can write arbitrary code to inject and execute code remotely on the SharePoint Server without requiring user interaction.
Initial Assessment and Update
Microsoft initially addressed the vulnerability in a security advisory published on January 13, 2026, and urged organizations to upgrade to a fixed version as soon as possible. At the time, the company assessed the vulnerability as less likely to be exploited. However, CISA’s addition of the flaw to the KEV catalog indicates that exploitation is now occurring in the wild.
Required Action
As a result of CISA’s action, US federal civilian agencies are required to address the vulnerability by March 21, 2026. Private sector and other public sector organizations using SharePoint are also advised to take prompt action to remediate the vulnerability, if they have not already done so.
Importance of Remediation
SharePoint servers often contain valuable corporate data and can serve as a gateway to the entire corporate environment, making them a prime target for attackers. Consequently, SharePoint vulnerabilities are frequently leveraged by various threat actors.
About Author
English