Critical Microsoft SharePoint flaw now exploited in attacks
Microsoft SharePoint vulnerability CVE-2026-20963, patched in January 2026, is now being actively exploited in attacks according to CISA. The critical flaw affects SharePoint Enterprise Server 2016, 2019, and Subscription Edition, allowing unauthenticated attackers to achieve remote code execution through deserialization of untrusted data. CISA has ordered federal agencies to patch by March 21, 2026, and strongly urged all organizations to apply mitigations immediately.
Summary
Microsoft SharePoint vulnerability CVE-2026-20963, patched in January 2026, is now being actively exploited in attacks according to CISA. The critical flaw affects SharePoint Enterprise Server 2016, 2019, and Subscription Edition, allowing unauthenticated attackers to achieve remote code execution through deserialization of untrusted data. CISA has ordered federal agencies to patch by March 21, 2026, and strongly urged all organizations to apply mitigations immediately.
Full text
Critical Microsoft SharePoint flaw now exploited in attacks By Sergiu Gatlan March 19, 2026 06:06 AM 0 A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) warned. Tracked as CVE-2026-20963, this security flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Successful exploitation enables threat actors without privileges to achieve remote code execution on unpatched servers in low-complexity attacks that exploit a deserialization of untrusted data weakness. "In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft said when it patched the vulnerability as part of its January 2026 Patch Tuesday. While Microsoft updated its CVE-2026-20963 advisory this Tuesday, the company has yet to flag it as exploited in the wild. However, CISA added the security flaw to its catalog of actively exploited vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by Saturday, March 21. FCEB agencies are non-military U.S. executive branch agencies, such as the Department of Homeland Security, the Department of Energy, the Department of Justice, and the Department of State. CISA didn't provide further information on these ongoing CVE-2026-20963 attacks and has yet to find any evidence that it's being exploited in ransomware attacks. Even though BOD 22-01 targets only federal agencies, CISA "strongly" urged all network defenders to patch their devices against exploitation of CVE-2025-40551 as soon as possible. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." On Wednesday, CISA also ordered federal agencies to patch a stored cross-site scripting (XSS) weakness in the Zimbra Collaboration Suite (ZCS) that is now exploited in the wild. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: CISA flags critical Microsoft SCCM flaw as exploited in attacksCISA orders feds to patch n8n RCE flaw exploited in attacksCISA: BeyondTrust RCE flaw now exploited in ransomware attacksCISA gives feds 3 days to patch actively exploited BeyondTrust flawCISA flags critical SolarWinds RCE flaw as exploited in attacks
Indicators of Compromise
- cve — CVE-2026-20963
- cve — CVE-2025-40551