CISA warns of active exploitation of Microsoft SharePoint vulnerability (CVE-2026-20963)
CVE-2026-20963, a remote code execution (RCE) SharePoint vulnerability Microsoft fixed in January 2026, is being exploited by attackers.
The confirmation comes from the US Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday.
About CVE-2026-20963
CVE-2026-20963 affects Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016.
It is caused by deserialization of untrusted data and may allow an unauthorized attacker to achieve RCE through a low-complexity attack.
“In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft explained in the related security advisory published on January 13, 2026.
No user interaction is required for CVE-2026-20963 exploitation.
At the time of the release of the fix, Microsoft judged the vulnerability as “less likely” to be exploited, though it still urged organizations using SharePoint to upgrade to a fixed version as soon as possible.
CISA’s KEV catalog is regularly updated based on verified reports, but it does not offer details about the exploitation of the added flaws nor does it usually point to published third-party reports.
Microsoft has yet to update the security advisory to say that the flaw is under active attack.
By adding the flaw to the KEV catalog, CISA has ordered US federal civilian agencies to address it by March 21, 2026. Private sector and other public sector organizations that use SharePoint should do it as well (if they haven’t already).
Since SharePoint servers often contain valuable corporated data and can also be used as a gateway to the entire corporate environment, SharePoint vulnerabilities are regularly leveraged by various attackers.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!