A critical unauthenticated remote code execution flaw in SharePoint is being weaponized in the wild. π
CVE-2026-20963 Β· Severity 9.8 Β· CISA KEV Remediation Deadline: March 21β 2026.
The @[CISA]\\(urn:li:organization:13010360\\) has added a critical deserialization flaw in @[Microsoft]\\(urn:li:organization:1035\\) SharePoint Server to the Known Exploited Vulnerabilities catalog. In a network-based attackβ an unauthenticated attacker can execute arbitrary code to inject and execute commands remotely on the server.
While the flaw was patched in Januaryβ active exploitation has recently surged. Because SharePoint often stores the core intellectual property and internal communications of an organizationβ an RCE here represents a total compromise of corporate data.
The uncomfortable truth: If your SharePoint servers are internet-exposed and unpatched todayβ you are operating an open repository for automated data exfiltration.
β Apply the January 2026 security updates for SharePoint Server 2016β 2019β and Subscription Edition immediately.
β Conduct a retrospective audit of your SharePoint logs for unauthorized code injection or anomalous service account activity.
β Ensure that internal SharePoint instances are not reachable from the public internet without a Zero Trust gateway.
#Cybersecurity #DataProtection #SharePoint #PatchManagement #SOC #CodeDefence