A significant security vulnerability in Microsoft SharePoint has been identified and is currently being exploited in active cyber attacks. On March 18, 2026, this flaw was officially included in the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA), underscoring the urgency for network administrators to act swiftly.
Understanding the SharePoint Vulnerability
The vulnerability, cataloged as CVE-2026-20963, arises from the manner in which Microsoft SharePoint handles the deserialization of untrusted data. Deserialization is the conversion process that transforms data meant for storage or network transfer into executable objects within an application. When this process is not securely handled, it opens the door for attackers to exploit the system.
This specific flaw allows an unauthorized, remote attacker to send a maliciously crafted data packet to a vulnerable server, which, when processed by SharePoint, executes the attacker’s embedded instructions. This capability to execute arbitrary code on the host system without valid credentials poses a severe risk, particularly as SharePoint environments often contain sensitive corporate information.
Implications and Threat Landscape
The addition of CVE-2026-20963 to the KEV catalog highlights the observed exploitation of this vulnerability in real-world scenarios, although the exact advanced persistent threat (APT) groups responsible remain unidentified. While the link to active ransomware campaigns has not been confirmed, vulnerabilities allowing remote code execution are highly sought after by threat actors.
Once attackers achieve code execution, they can deploy additional payloads, maintain persistent access, and potentially move laterally within the network, escalating the threat to corporate data and communications security.
Mitigation and Recommendations
CISA has issued a directive for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01, mandating the remediation of all vulnerable SharePoint instances by March 21, 2026. Private organizations are advised to follow this timeline to safeguard their systems.
Administrators should immediately review Microsoft’s security advisories and apply all available patches. If patching is not feasible, alternative mitigations must be implemented. In the absence of viable mitigations, CISA recommends discontinuing the use of affected products until a lasting solution is available.
Stay informed by following us on Google News, LinkedIn, and X for ongoing cybersecurity updates. Contact us to share your cybersecurity stories.
