Microsoft: CISA warns of active exploitation of Microsoft SharePoint vulnerability (CVE-2026-20963)

Critical SharePoint RCE Vulnerability (CVE-2026-20963) Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that CVE-2026-20963, a remote code execution (RCE) vulnerability in Microsoft SharePoint, is being actively exploited in the wild. The flaw was patched by Microsoft in January 2026 but has since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as of Wednesday.

Vulnerability Details

• Affected Products: Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
• Root Cause: Improper deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code remotely.
• Attack Complexity: Low no user interaction is required for exploitation.
• Impact: Successful exploitation could enable attackers to inject and run malicious code on vulnerable SharePoint servers, potentially granting access to sensitive corporate data or serving as an entry point into broader network environments.

Microsoft initially assessed the vulnerability as "less likely" to be exploited but still urged organizations to apply the patch immediately. Despite the warning, active exploitation has now been observed.

CISA’s Response & Deadline

CISA’s inclusion of CVE-2026-20963 in the KEV catalog mandates that U.S. federal civilian agencies remediate the flaw by March 21, 2026. While Microsoft has not yet updated its advisory to confirm active attacks, CISA’s action underscores the urgency for all SharePoint users including private and public sector organizations to apply the fix if they haven’t already.

SharePoint vulnerabilities remain a high-value target for threat actors due to the platform’s role in storing critical business data and facilitating internal network access.

Source: https://www.helpnetsecurity.com/2026/03/19/sharepoint-vulnerability-cve-2026-20963-exploited/

Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft

"id": "MIC1773923106",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft SharePoint Server Subscription '
                                'Edition',
                        'type': 'Software'},
                       {'industry': 'Technology',
                        'location': 'Global',
                        'name': 'SharePoint Server 2019',
                        'type': 'Software'},
                       {'industry': 'Technology',
                        'location': 'Global',
                        'name': 'SharePoint Enterprise Server 2016',
                        'type': 'Software'}],
 'attack_vector': 'Network',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive corporate data'},
 'date_publicly_disclosed': '2026-01',
 'description': 'CISA has confirmed that CVE-2026-20963, a remote code '
                'execution (RCE) vulnerability in Microsoft SharePoint, is '
                'being actively exploited in the wild. The flaw was patched by '
                'Microsoft in January 2026 but has since been added to CISA’s '
                'Known Exploited Vulnerabilities (KEV) catalog. The '
                'vulnerability allows unauthenticated attackers to execute '
                'arbitrary code remotely due to improper deserialization of '
                'untrusted data, potentially granting access to sensitive '
                'corporate data or serving as an entry point into broader '
                'network environments.',
 'impact': {'data_compromised': 'Sensitive corporate data',
            'operational_impact': 'Potential unauthorized access to internal '
                                  'networks',
            'systems_affected': 'Microsoft SharePoint Server Subscription '
                                'Edition, SharePoint Server 2019, SharePoint '
                                'Enterprise Server 2016'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Patch application, '
                                                  'vulnerability assessment',
                            'root_causes': 'Improper deserialization of '
                                           'untrusted data'},
 'recommendations': 'Apply Microsoft’s January 2026 patch for CVE-2026-20963 '
                    'immediately. Monitor for signs of exploitation and ensure '
                    'SharePoint servers are updated.',
 'references': [{'source': 'CISA Known Exploited Vulnerabilities Catalog'},
                {'source': 'Microsoft Security Advisory'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA KEV catalog '
                                                       'inclusion (U.S. '
                                                       'federal civilian '
                                                       'agencies must '
                                                       'remediate by March 21, '
                                                       '2026)'},
 'response': {'containment_measures': 'Patch application (Microsoft January '
                                      '2026 update)',
              'remediation_measures': 'Apply Microsoft’s January 2026 patch '
                                      'for CVE-2026-20963'},
 'stakeholder_advisories': 'U.S. federal civilian agencies must remediate by '
                           'March 21, 2026. Private and public sector '
                           'organizations urged to apply the patch.',
 'title': 'Critical SharePoint RCE Vulnerability (CVE-2026-20963) Under Active '
          'Exploitation',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-20963'}