Critical Microsoft SharePoint Flaw Now Exploited in Attacks
Summary:
A critical vulnerability in Microsoft SharePoint Server, originally patched in January 2026, is now seeing active exploitation in the wild. Tracked as CVE-2026-20963, the flaw is a deserialization of untrusted data issue that allows an attacker with low-privileged authenticated access to execute arbitrary code remotely on the affected server. While Microsoft initially categorized the likelihood of exploitation as "less likely," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog as of March 18, 2026. This addition signals that attackers are actively weaponizing the flaw to breach enterprise environments, prompting urgent remediation requirements for federal agencies and a strong recommendation for private sector entities to follow suit.
Security Officer Comments:
The transition of CVE-2026-20963 from a "less likely" exploit to an actively traded and used threat is a significant development for organizations. SharePoint remains a high-value target for adversaries because it often serves as a central repository for sensitive corporate intellectual property and serves as a springboard for lateral movement within a network. Because the attack requires only "low" privileges, an attacker who has compromised a single set of employee credentials, perhaps through a simple phishing campaign, can escalate that foothold into full system command. For our broad range of members, this means that even if your external perimeter is robust, an internal threat or a leaked credential could lead to a catastrophic breach of your primary collaboration platform. We are seeing a trend where attackers specifically wait for the "post-patch" window to target organizations that are slower to update their internal-facing infrastructure.
Suggested Corrections:
To defend against this active threat, organizations should prioritize the following actions:
Link(s):
https://www.bleepingcomputer.com/ne...oft-sharepoint-flaw-now-exploited-in-attacks/
A critical vulnerability in Microsoft SharePoint Server, originally patched in January 2026, is now seeing active exploitation in the wild. Tracked as CVE-2026-20963, the flaw is a deserialization of untrusted data issue that allows an attacker with low-privileged authenticated access to execute arbitrary code remotely on the affected server. While Microsoft initially categorized the likelihood of exploitation as "less likely," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog as of March 18, 2026. This addition signals that attackers are actively weaponizing the flaw to breach enterprise environments, prompting urgent remediation requirements for federal agencies and a strong recommendation for private sector entities to follow suit.
Security Officer Comments:
The transition of CVE-2026-20963 from a "less likely" exploit to an actively traded and used threat is a significant development for organizations. SharePoint remains a high-value target for adversaries because it often serves as a central repository for sensitive corporate intellectual property and serves as a springboard for lateral movement within a network. Because the attack requires only "low" privileges, an attacker who has compromised a single set of employee credentials, perhaps through a simple phishing campaign, can escalate that foothold into full system command. For our broad range of members, this means that even if your external perimeter is robust, an internal threat or a leaked credential could lead to a catastrophic breach of your primary collaboration platform. We are seeing a trend where attackers specifically wait for the "post-patch" window to target organizations that are slower to update their internal-facing infrastructure.
Suggested Corrections:
To defend against this active threat, organizations should prioritize the following actions:
- Immediate Patching: Apply the security updates provided by Microsoft in the January 2026 Patch Tuesday release. This affects SharePoint Server 2016, 2019, and Subscription Edition.
- Enforce MFA: Since the exploit requires authentication, robust Multi-Factor Authentication (MFA) across all SharePoint access points is the most effective way to prevent the initial access required to trigger the vulnerability.
- Monitor for Anomalous Processes: Security teams should hunt for unusual child processes spawning from the SharePoint worker process (w3wp[.]exe). Specifically, look for the execution of cmd[.]exe, powershell.exe, or any unexpected network connections originating from the SharePoint application tier.
- Network Segmentation: Ensure that SharePoint servers are isolated from the broader internet where possible and that internal access is restricted to only the necessary user segments to reduce the potential attack surface.
Link(s):
https://www.bleepingcomputer.com/ne...oft-sharepoint-flaw-now-exploited-in-attacks/