Unknown attackers exploit yet another critical SharePoint bug

Steven

Unknown attackers exploit yet another critical SharePoint bug

Summary

Unknown attackers are exploiting CVE-2026-20963, a critical deserialization vulnerability in Microsoft SharePoint that allows unauthenticated remote code execution. Microsoft patched the flaw in January, but the US Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalogue and ordered federal agencies to remediate within three days.

Microsoft has not updated its advisory to confirm active exploitation and has not identified who is abusing the flaw or their motives. The incident follows large-scale SharePoint attacks in 2025 (ToolShell, CVE-2025-53770) that impacted hundreds of organisations and involved nation-state and criminal actors.

Key Points

  • CVE-2026-20963 is a critical SharePoint deserialization bug that enables unauthenticated remote code execution.
  • Microsoft released a patch in January Patch Tuesday; the vendor initially said exploitation was “less likely.”
  • CISA has added the CVE to its KEV catalogue and directed federal agencies to patch within three days, signalling active abuse in the wild.
  • Microsoft has not publicly confirmed active exploitation or named the attackers or their objective.
  • This resurgence follows the 2025 SharePoint mass exploitation (ToolShell, CVE-2025-53770) that hit 400+ organisations, including government victims and ransomware infections.
  • Organisations with internet-facing SharePoint should prioritise patching, isolate affected instances, and hunt for web shells or indicators of compromise.

Context and relevance

SharePoint remains a frequent target because on-premises deployments expose critical services and often lag in patching. CISA’s KEV listing is a strong indicator that the vulnerability is being weaponised at scale or being used in targeted intrusions. For IT and security teams, this continues the trend of attackers rapidly exploiting SharePoint flaws after disclosure or patch release.

Why should I read this?

Short version: if you run or manage SharePoint, this matters — pronto. CISA just put it on the KEV list with a three-day call to action for federal agencies, so chances are you’re at heightened risk. We’ve scanned the detail and pulled out the urgent bits so you don’t have to dig through the original right now.

Author

Punchy: This is not one to ignore. If your organisation uses on-prem SharePoint or exposes it publicly, treat this as high priority. Patch, monitor and isolate where possible — the history of SharePoint exploits shows attackers move fast and often follow up with data theft or ransomware.

Source

Source: https://www.theregister.com/2026/03/19/unknown_attackers_exploit_yet_another/

Published: 2026-03-19T18:54:19+00:00