CVE202620963 was originally published in January 2026, but it has recently gained renewed attention due to confirmed active exploitation.

Overview

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) list on March 18, 2026, following reports of real world attacks. The flaw is a remote code execution vulnerability in Microsoft SharePoint caused by improper handling of untrusted data during deserialisation. Once triggered, it allows attackers to execute code on the SharePoint server, and available information indicates that authentication might not be required.

Because SharePoint often stores sensitive internal information and underpins key collaboration workflows, successful exploitation can lead to significant operational and data security risks.

What the Vulnerability Allows

If exploited, an attacker can:

• Execute arbitrary code on the SharePoint server
• Gain full control over the host
• Move laterally within the environment
• Deploy malware, backdoors, or set up persistence
• Potentially prepare for data theft or ransomware operations

This appears to be a remote attack that may not require credentials, based on the information currently available.

Affected Versions

According to published information, the following Microsoft SharePoint products are affected:

• SharePoint Server 2016
• SharePoint Server 2019
• SharePoint Subscription Edition

Current Threat Activity

CVE202620963 is being actively exploited. While specific threat groups have not been publicly identified, the techniques observed are consistent with those used by attackers who specialise in gaining initial access for further intrusion activity or ransomware deployment.

Recommended Mitigation Steps

1. Apply Patches Immediately

Microsoft has released security updates addressing the issue. Updating all affected SharePoint servers to the latest patched version is the most important step.

2. Limit Network Exposure

Ensure SharePoint servers are not unnecessarily exposed:

• Restrict access from untrusted networks
• Enforce proper firewall and reverseproxy controls
• Remove any direct external exposure unless absolutely required

3. Strengthen Monitoring and Logging

Increase monitoring on affected servers for:

• Unusual or unauthorized file modifications
• Suspicious processes running under SharePoint service accounts
• Unexpected outbound network connections

4. Review Permissions and Access Controls

Audit administrative roles and service accounts to ensure minimal privileges are assigned.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.