Critical Microsoft SharePoint RCE Vulnerability CVE-2026-20963 Under Active Exploitation
Take action: Your SharePoint servers are under attack. Ideally, isolate them from the internet and make them accessible only from internal networks. Them apply the January 2026 patch ASAP. If you are still using SharePoint 2013 or older, isolate them and upgrade to a newer version. Those old systems are permanently vulnerable.
Learn More
Microsoft SharePoint is currently under attack due to a critical security flaw that allows unauthenticated users to take over servers. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming that threat actors are actively using it.
Microsoft released a patch in January 2026 but it seems a significant number of instances have not been patched, prompting urgent warnings for both government and private organizations to secure their systems immediately.
The flaw is tracked as CVE-2026-20963 (CVSS score 9.8) - A deserialization of untrusted data vulnerability that allows unauthenticated attackers to run arbitrary code on SharePoint servers.
Once a server is compromised, attackers can steal sensitive documents, access internal databases, or use the server as a foothold to attack other parts of the corporate network.
The security flaw affects several versions of the platform, including SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Legacy versions such as SharePoint Server 2007, 2010, and 2013 are also vulnerable but no longer receive security updates from Microsoft.
Administrators must apply the security updates from the January 2026 Patch Tuesday cycle. U.S. federal agencies have until March 21, 2026, to patch their servers or stop using the software if updates cannot be applied.
Organizations running older, unsupported versions of SharePoint should upgrade to a supported version ASAP, as these systems will not receive any security fixes.
