CISA has added Microsoft SharePoint CVE-2026-20963 to its Known Exploited Vulnerabilities catalog, signaling that the flaw is being actively abused in the wild. Federal civilian agencies are required to address it by March 21, 2026, under the agency’s remediation deadline.
What happened
CVE-2026-20963 is a Microsoft SharePoint remote code execution issue tied to deserialization of untrusted data. Microsoft’s January security update materials list the flaw as affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, and the CVSS score shown in Microsoft’s update data is 8.8.
At the time Microsoft first patched the bug, it was not classified as actively exploited, but that assessment has now changed after CISA’s inclusion in the KEV catalog. CISA’s KEV list is used to track vulnerabilities that are known to be exploited and to drive faster remediation across federal systems.
Why Microsoft SharePoint CVE-2026-20963 matters
For IT teams, the main concern is that SharePoint often sits in the center of document sharing, workflows, and internal collaboration, so a server compromise can expose sensitive files and create a path deeper into the network. The fact that CISA has moved this flaw into the KEV catalog means defenders should treat it as urgent, not routine patch hygiene.
The vulnerability is especially important because Microsoft’s advisory data describes a network-based attack path, and reporting on the issue says no user interaction is required once an attacker reaches a vulnerable SharePoint server. That combination makes exposed SharePoint instances a high-priority target for threat actors.
What admins should do
Organizations running on-premises SharePoint should verify whether they are using any affected version and confirm that Microsoft’s January 2026 security updates are installed. If patching has already been done, teams should still review logs, recent administrative changes, and unusual authentication or web request activity around the SharePoint server.
Security teams should also check for internet-facing SharePoint deployments, since externally reachable servers are the most likely to be targeted first. For federal environments, the deadline is March 21, 2026, but private-sector teams should treat that date as a strong signal to move immediately.
Recent Posts You Might Like
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
