CVE-2026-20963: Microsoft SharePoint RCE Actively Exploited, CISA Issues Warning
Summary
CISA confirmed active exploitation of CVE-2026-20963, a critical deserialization remote code execution vulnerability in Microsoft SharePoint Server affecting Subscription Edition, 2019, and Enterprise Server 2016. Unauthenticated attackers can execute arbitrary code remotely with no user interaction required. Microsoft patched this in January 2026 but exploitation is now confirmed in the wild.
Threat Analysis
CVE-2026-20963 is a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 18-19, 2026, confirming active exploitation.
Affected Products: Microsoft SharePoint Server Subscription Edition (prior to 16.0.5535.1001), SharePoint Server 2019 (prior to 16.0.10417.20083), SharePoint Enterprise Server 2016 (prior to 16.0.19127.20442).
Exploitation Details: An unauthenticated attacker can exploit this vulnerability through a low-complexity attack requiring no user interaction to achieve remote code execution on the SharePoint server. Successful exploitation can lead to full server compromise, web shell deployment, credential theft, and lateral movement across the enterprise network.
Exploitation Status: Actively exploited in the wild. Microsoft initially rated exploitation as 'less likely' when patching in January 2026, but CISA's KEV addition confirms real-world attacks are occurring.
Recommended Mitigations: Apply Microsoft's January 2026 Patch Tuesday updates immediately. Prioritize internet-facing SharePoint instances. If patching is not immediately possible: restrict network access, implement network segmentation, deploy WAF rules. Monitor SharePoint ULS logs and Windows Event ID 4688 for unexpected process spawning (e.g., w3wp.exe launching cmd.exe or powershell.exe). Federal agencies were mandated to remediate by March 21, 2026.