A critical Microsoft SharePoint vulnerability, CVE-2026-20963, patched in January, is now being actively exploited in attacks, according to the Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. It allows threat actors to achieve remote code execution on unpatched servers through low-complexity attacks exploiting a deserialization of untrusted data weakness.
Microsoft initially patched the flaw as part of its January 2026 Patch Tuesday, warning that an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server. While Microsoft updated its advisory this Tuesday, it has not yet flagged the vulnerability as being exploited in the wild. However, CISA has added it to its catalog of actively exploited vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by March 21.
CISA's directive targets non-military U.S. executive branch agencies, such as the Department of Homeland Security, the Department of Energy, the Department of Justice, and the Department of State. The agency has not provided further details on the ongoing attacks, but it strongly urges all network defenders to patch their devices against the exploitation of CVE-2025-40551, a separate vulnerability that also poses significant risks to the federal enterprise.
This recent development highlights the ongoing challenge of keeping software secure. As malware becomes more sophisticated, with techniques like detecting sandboxes and hiding in plain sight, as revealed in the Red Report 2026, the need for robust security measures becomes increasingly critical. The fact that these vulnerabilities are being actively exploited underscores the importance of timely patching and the potential risks to organizations that fail to address them promptly.
