CVE202620963 was originally published in January 2026, but it has recently gained renewed attention due to confirmed active exploitation.
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) list on March 18, 2026, following reports of real world attacks. The flaw is a remote code execution vulnerability in Microsoft SharePoint caused by improper handling of untrusted data during deserialisation. Once triggered, it allows attackers to execute code on the SharePoint server, and available information indicates that authentication might not be required.
Because SharePoint often stores sensitive internal information and underpins key collaboration workflows, successful exploitation can lead to significant operational and data security risks.
If exploited, an attacker can:
This appears to be a remote attack that may not require credentials, based on the information currently available.
According to published information, the following Microsoft SharePoint products are affected:
CVE202620963 is being actively exploited. While specific threat groups have not been publicly identified, the techniques observed are consistent with those used by attackers who specialise in gaining initial access for further intrusion activity or ransomware deployment.
Microsoft has released security updates addressing the issue. Updating all affected SharePoint servers to the latest patched version is the most important step.
Ensure SharePoint servers are not unnecessarily exposed:
Increase monitoring on affected servers for:
Audit administrative roles and service accounts to ensure minimal privileges are assigned.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.