A recently patched Microsoft SharePoint vulnerability has been exploited in the wild, according to the cybersecurity agency CISA.
The vulnerability, tracked as CVE-2026-20963, was disclosed on January 13, when Microsoft released its January 2026 Patch Tuesday updates.
CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog on March 18, instructing federal agencies to address it by March 21.
Microsoft has described the vulnerability as a critical remote code execution flaw (CVSS 9.8) enabled by deserialization of untrusted data.
The issue affects SharePoint Server 2016, 2019, and Subscription Edition, and it was reported to Microsoft by an anonymous researcher.
“In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft explained in its advisory.
Microsoft updated its advisory for CVE-2026-20963 on March 17, but it still does not mention active exploitation. In addition, the flaw has an exploitability assessment of ‘exploitation less likely’.
There does not appear to be any public information about the attacks exploiting the vulnerability.
SecurityWeek has reached out to Microsoft for information about the attacks and will update this article if the company responds.
CISA’s KEV catalog currently includes nine SharePoint vulnerabilities, including three disclosed in 2025 and associated with the ToolShell attacks.
UPDATE: Microsoft has not shared information about the attacks, but told SecurityWeek, “We addressed CVE-2026-20963 in our January Security Update. Customers who have installed the latest updates, or have automatic updates enabled, are already protected.”
Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks
Related: Phishers Abuse SharePoint in New Campaign Targeting Energy Sector
Related: Microsoft Patches Exploited Windows Zero-Day, 111 Other Vulnerabilities
