Critical SharePoint Flaw Under Active Attack, CISA Warns

As Bleeping Computer writes, CISA has issued an urgent warning about a critical Microsoft SharePoint vulnerability that is now being actively exploited in the wild. The flaw, tracked as CVE-2026-20963, was originally patched during the January 2026 Patch Tuesday update cycle.

Although Microsoft has not officially confirmed active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling credible evidence of real-world attacks.

Affected SharePoint versions

The vulnerability impacts several widely used SharePoint deployments, including:

• SharePoint Enterprise Server 2016
• SharePoint Server 2019
• SharePoint Server Subscription Edition

Older versions such as SharePoint 2007, 2010, and 2013 are also vulnerable, but they no longer receive security updates, increasing risk exposure for organizations still running them.

Remote code execution with no authentication

CVE-2026-20963 is a high-severity flaw that allows unauthenticated remote code execution. The issue stems from improper deserialization of untrusted data, enabling attackers to run arbitrary code on affected servers.

The attack requires low complexity and no prior authentication, making it particularly dangerous for internet-facing SharePoint environments.

CISA sets March 21 deadline for federal agencies

CISA has ordered U.S. federal civilian agencies to secure affected systems by March 21, 2026. This directive applies to major departments such as the Department of Homeland Security, the Department of Justice, the Department of Energy, and the State Department.

Organizations must apply available patches, follow Microsoft’s mitigation guidance, or discontinue use of vulnerable systems if they cannot secure them.

Urgent guidance for all organizations

While the directive targets federal agencies, CISA strongly urges all organizations to act immediately. The agency emphasized that vulnerabilities like this are frequently exploited by threat actors and often serve as entry points for larger attacks.

There are currently no confirmed links between this flaw and ransomware campaigns, but the risk remains high given the nature of remote code execution vulnerabilities.

Additional security developments

In related cybersecurity news, CISA recently warned about increased endpoint attacks following the Stryker breach. At the same time, Microsoft has started phase two of its Deployment Services Security Hardening initiative.

Microsoft has also released an emergency update, KB5084597, addressing remote code execution flaws in RRAS, further highlighting ongoing security concerns across enterprise infrastructure.