The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning that a severe vulnerability in Microsoft SharePoint, initially patched in January 2026, is now being actively exploited in the wild. The flaw, tracked as CVE-2026-20963, impacts multiple versions of the enterprise collaboration platform, including SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability stems from an unsafe deserialization of untrusted data, a common but dangerous coding weakness. According to Microsoft's original advisory, a network-based, unauthenticated attacker could exploit this flaw to write and execute arbitrary code remotely on vulnerable SharePoint servers, effectively granting them full control in what are described as "low-complexity attacks."
In response to the active exploitation, CISA has taken decisive action by adding CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog. This move mandates all Federal Civilian Executive Branch (FCEB) agencies—which include critical departments like Homeland Security, Energy, Justice, and State—to apply the available security update and secure their systems by Saturday, March 21, 2026. The binding operational directive (BOD 22-01) underscores the immediate threat this flaw poses to federal networks. Notably, while Microsoft updated its advisory for this CVE on the Tuesday preceding CISA's announcement, the company had not yet officially flagged it as exploited in attacks, highlighting the proactive and urgent nature of the federal cybersecurity agency's alert.
The exploitation of this SharePoint flaw occurs amidst a landscape of other significant cybersecurity threats, as reflected in recent industry reports. These include the patching of a ConnectWise ScreenConnect flaw that allowed server hijacking, the emergence of the 'DarkSword' iOS exploit used in infostealer campaigns, and the widespread 'GlassWorm' malware campaign affecting over 400 code repositories on platforms like GitHub and npm. The active targeting of a critical enterprise server platform like SharePoint emphasizes the persistent focus of threat actors on widely used business software to gain initial access, deploy ransomware, or conduct espionage. Organizations outside the federal government are strongly urged to treat CISA's directive as a critical benchmark and apply the January 2026 Patch Tuesday updates immediately to mitigate risk.
While CISA has not released specific details regarding the nature or scale of the ongoing attacks exploiting CVE-2026-20963, its inclusion in the KEV catalog is a reliable indicator of credible exploitation. Security teams should prioritize inventorying and patching all instances of affected SharePoint servers. For environments where immediate patching is not feasible, implementing strict network controls, such as segmenting SharePoint servers and restricting inbound traffic from untrusted networks, is a crucial temporary mitigation. This incident serves as a stark reminder of the critical window between patch availability and widespread exploitation, reinforcing the necessity for robust, automated patch management processes in all enterprise environments.
