SharePoint RCE Flaw CVE-2026-20963 Under Active Exploitation

A critical deserialization vulnerability in Microsoft SharePoint is being actively exploited in the wild, prompting CISA to add CVE-2026-20963 to the Known Exploited Vulnerabilities catalog on March 18. Federal agencies face a March 21 deadline to patch or mitigate.

The flaw allows unauthenticated remote attackers to execute arbitrary code on vulnerable SharePoint servers without any user credentials. Because SharePoint typically houses sensitive enterprise documents and internal communications, successful exploitation opens the door to data theft, lateral movement, and ransomware deployment.

Technical Breakdown

CVE-2026-20963 is a deserialization-of-untrusted-data vulnerability. When SharePoint processes incoming data, it fails to properly validate serialized content before attempting to reconstruct objects. Attackers craft malicious data packets containing embedded instructions, and when SharePoint deserializes this input, it executes the attacker's code.

The attack requires only network access to the SharePoint server. No authentication, no special permissions, no user interaction. Send the payload, get code execution.

Affected Versions

The vulnerability impacts multiple SharePoint deployments:

• SharePoint Enterprise Server 2016
• SharePoint Server 2019
• SharePoint Server Subscription Edition

Organizations running cloud-hosted SharePoint Online through Microsoft 365 are not affected - this targets on-premises installations specifically.

Why Initial Access Brokers Want This

Remote code execution flaws in enterprise collaboration platforms are gold for initial access brokers and ransomware operations. SharePoint sits at the heart of document management and internal workflows in thousands of organizations. Once attackers achieve code execution, they can:

• Deploy persistent backdoors for long-term access
• Harvest credentials from connected services
• Pivot laterally across the corporate network
• Stage ransomware or exfiltrate sensitive documents

We've seen this pattern repeatedly with Microsoft-targeted attacks this year. Enterprise collaboration tools provide both valuable data and network access, making them priority targets.

CISA's Tight Deadline

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies must remediate KEV catalog entries within specified timeframes. For CVE-2026-20963, that deadline is March 21, 2026 - just days away.

CISA's KEV catalog addition confirms active exploitation, though specific threat actors and campaign details haven't been disclosed. The compressed remediation timeline suggests CISA views this as an imminent threat requiring emergency action.

What to Do Now

Organizations running on-premises SharePoint should treat this as a critical priority:

1. Apply patches immediately - Microsoft's security updates address the deserialization flaw
2. Review access logs - Check for anomalous requests that could indicate exploitation attempts
3. Assess exposure - Determine if SharePoint servers are accessible from untrusted networks
4. Consider isolation - If immediate patching isn't possible, restrict network access to SharePoint instances

For environments where patching requires extended maintenance windows, CISA explicitly advises that if no workarounds exist, organizations should discontinue use of the vulnerable product until a fix can be deployed.

The Bigger Picture

This marks another entry in the ongoing pattern of enterprise application vulnerabilities being exploited for initial access. Collaboration platforms, content management systems, and business applications provide attackers with both data access and network footholds.

The speed from vulnerability disclosure to active exploitation continues to compress. Security teams operating on traditional monthly patch cycles find themselves consistently behind threat actors who weaponize flaws within days or hours of disclosure.

Organizations using on-premises SharePoint should also review Microsoft's broader March 2026 Patch Tuesday updates, which addressed multiple high-severity vulnerabilities beyond CVE-2026-20963.