A critical security flaw in Microsoft SharePoint has come under active exploitation, as highlighted by the Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability, identified as CVE-2026-20963, was initially revealed in Microsoft’s January 2026 Patch Tuesday updates.
Urgent Call for Federal Agency Action
On March 18, CISA incorporated CVE-2026-20963 into its Known Exploited Vulnerabilities (KEV) catalog, compelling federal agencies to implement fixes by March 21. The flaw is a significant remote code execution vulnerability with a CVSS score of 9.8, caused by deserialization of untrusted data.
Microsoft’s description of the flaw includes its impact on SharePoint Server 2016, 2019, and Subscription Edition. The vulnerability was reported by an anonymous researcher and poses a risk where an unauthenticated user could insert and execute arbitrary code on affected servers.
Microsoft’s Response and Advisory
Despite updating their advisory on March 17, Microsoft has not confirmed any active exploitation of this vulnerability. The company’s exploitability assessment suggests that exploitation is ‘less likely’. However, CISA’s warning indicates a potential risk that necessitates immediate attention.
There is currently limited public information regarding incidents that have leveraged this vulnerability. SecurityWeek has contacted Microsoft for further insights and awaits a response.
Ongoing Security Challenges
CISA’s KEV catalog now lists nine vulnerabilities related to SharePoint, including three from 2025 associated with the ToolShell attacks. This highlights the continuing challenges in securing enterprise systems against evolving threats.
For those managing SharePoint environments, this serves as a critical reminder to stay vigilant and ensure all security patches are applied promptly to mitigate potential risks.
Related issues include a Cisco firewall vulnerability exploited in Interlock ransomware attacks and phishing campaigns abusing SharePoint to target the energy sector.
