CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability

Summary

CISA has added CVE-2026-20963, a critical SharePoint remote code execution vulnerability (CVSS 9.8), to its Known Exploited Vulnerabilities catalog after Microsoft patched it in January 2026. The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition, and allows unauthenticated attackers to execute arbitrary code through deserialization of untrusted data, with CISA mandating federal agencies patch by March 21.

Full text

A recently patched Microsoft SharePoint vulnerability has been exploited in the wild, according to the cybersecurity agency CISA. The vulnerability, tracked as CVE-2026-20963, was disclosed on January 13, when Microsoft released its January 2026 Patch Tuesday updates. CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog on March 18, instructing federal agencies to address it by March 21. Microsoft has described the vulnerability as a critical remote code execution flaw (CVSS 9.8) enabled by deserialization of untrusted data. The issue affects SharePoint Server 2016, 2019, and Subscription Edition, and it was reported to Microsoft by an anonymous researcher. “In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft explained in its advisory.Advertisement. Scroll to continue reading. Microsoft updated its advisory for CVE-2026-20963 on March 17, but it still does not mention active exploitation. In addition, the flaw has an exploitability assessment of ‘exploitation less likely’. There does not appear to be any public information about the attacks exploiting the vulnerability. SecurityWeek has reached out to Microsoft for information about the attacks and will update this article if the company responds. CISA’s KEV catalog currently includes nine SharePoint vulnerabilities, including three disclosed in 2025 and associated with the ToolShell attacks. Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks Related: Phishers Abuse SharePoint in New Campaign Targeting Energy Sector Related: Microsoft Patches Exploited Windows Zero-Day, 111 Other Vulnerabilities Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchUK Companies House Exposed Details of Millions of Firms Google, Meta, Microsoft Among Signatories of Pact to Combat ScamsOracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationStarbucks Data Breach Impacts Employees Latest News Raven Emerges From Stealth With $20 Million in FundingCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksThe Collapse of Predictive Security in the Age of Machine-Speed AttacksAutonomous Offensive Security Firm XBOW Raises $120M at $1B+ ValuationCloud Security Startup Native Exits Stealth With $42 Million in Funding‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsVirtual Summit Today: Supply Chain & Third-Party Risk SummitEU Sanctions Chinese, Iranian Firms Supporting Hacking Operations Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveNudge Security has appointed Patrick Dillon as Chief Revenue Officer.Arctic Wolf has named Will May as its Chief Revenue Officer.Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-20963