On March 18, 2026, CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities catalog. Federal agencies had until March 21 to patch. Three days.
This is a remote code execution vulnerability in Microsoft SharePoint. No authentication required. No user interaction required. Low complexity. An attacker who can reach your SharePoint server over the network can run code on it.
Microsoft patched this in January 2026. At the time, they rated it "exploitation less likely." That assessment aged poorly.
What Is CVE-2026-20963?
CVE-2026-20963 is a deserialization vulnerability in Microsoft SharePoint Server. Deserialization bugs occur when an application processes untrusted serialized data, like object state passed in a request, without properly validating it. An attacker crafts malicious serialized input and sends it to the server. The server processes it, the payload executes, and now the attacker has code running in the context of the SharePoint service account.
The affected versions are:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Server 2016
The attack requires no credentials. No phishing, no stolen password, no insider access. If the service is exposed and unpatched, that is the entire attack chain.
Why SharePoint Specifically?
SharePoint tends to hold the keys to the kingdom. Document libraries with contracts, financial data, HR records, and internal policies. Credentials stored in files that should not be on a file share but always are. Integration with Active Directory. Often reachable from the internet for remote employees.
A foothold on a SharePoint server is frequently a foothold on the internal network. From there, lateral movement to domain controllers, backup systems, and sensitive databases becomes straightforward. This is exactly why CISA treats unpatched SharePoint as a high-priority issue, not just a software update to schedule for next month's maintenance window.
Microsoft Said "Less Likely." Then What Happened?
This is worth slowing down on, because it has direct implications for how you manage your patch program.
Microsoft assigns exploitation likelihood ratings to CVEs as part of their advisory process. "Exploitation less likely" means their analysts believed, at the time of disclosure, that the technical complexity or other factors made mass exploitation improbable. That assessment is made before public proof-of-concept code exists, before researchers have time to study the patch, and before attackers have had a chance to weaponize it.
Within roughly two months of the January patch, someone had working exploit code and was using it in real attacks. CISA confirmed active exploitation on March 18.
Vulnerabilities rated "less likely" still get exploited. The rating describes probability at a point in time, not a guarantee about the future.
This is not unique to this CVE. It is a recurring pattern. Security teams that deprioritize patches based solely on Microsoft's exploitation likelihood rating will get burned eventually. Some already have.
What Does Active Exploitation Actually Look Like?
CISA does not typically publish technical attack details when they add a CVE to KEV. What "active exploitation" means in practice is that they have confirmed evidence of real-world attacks, not just proof-of-concept code or theoretical risk.
For a vulnerability like this, the attack flow would look something like this:
- Attacker scans the internet for exposed SharePoint servers (tools like Shodan and Censys make this trivial)
- Attacker sends a crafted HTTP request containing malicious serialized data to a vulnerable endpoint
- SharePoint processes the request, deserializes the payload, and executes attacker-controlled code
- Attacker establishes persistent access, begins internal reconnaissance, or deploys ransomware
No user clicks anything. No phishing email lands in an inbox. The server processes a request and that is it.
Running SharePoint in your environment? A penetration test will confirm whether your server is reachable, patched, and not already compromised. See how our pentests work or book a scoping call.
Patch Status and What to Do Right Now
Microsoft released the fix in the January 2026 Patch Tuesday update. If you have not applied it, that is the immediate action.
What to check:
- Patch Tuesday, January 2026 — Confirm the cumulative update for your SharePoint version is installed. Check SharePoint Central Administration or run a PowerShell build version query.
- Internet exposure — Does your SharePoint server have any interface directly reachable from the internet? VPN-only access significantly reduces your risk surface even on an unpatched server.
- Service account permissions — The code runs in the context of the SharePoint service account. If that account has local administrator rights or excessive AD privileges, the blast radius is larger.
- Logs — Look for unusual HTTP requests to SharePoint endpoints, particularly around deserialization-related paths. If you have a SIEM, build a detection rule now.
If you are already patched, do not skip the exposure and logging review. Knowing your server was patched does not tell you whether someone hit it before the patch was applied.
This Is Why "Patch and Verify" Matters
Most organizations have a patch management process. Fewer have a process to verify that patches actually applied correctly, that the vulnerable service is not exposed in ways they did not expect, and that no one got in before the patch went out.
Patching fixes the vulnerability going forward. It does not answer whether an attacker was already in your environment when you patched.
A penetration test covers things that patch management does not:
- It finds exposure you did not know about. SharePoint reachable via an old firewall rule, a reverse proxy misconfiguration, or a DMZ segment that should not have internal connectivity.
- It tests your actual patch state under real conditions, not just whether an update shows as installed in WSUS.
- It checks for indicators of prior compromise. Old web shells, scheduled tasks, persistence mechanisms left behind from an earlier intrusion.
- It validates your detection. Did your logging catch what we did? Would you have known if this were a real attack?
Organizations that run regular pentests find problems like this before they become incidents. The ones that only patch and hope find out differently.
Have not had a pentest in the last 12 months? You probably have exposure you are not aware of. We scope engagements to your environment and deliver clear, actionable reports with no fluff. Talk to us about getting started.
The Bottom Line
CVE-2026-20963 is a no-authentication, no-interaction remote code execution vulnerability in SharePoint Server that is being actively exploited right now. Microsoft patched it in January. CISA confirmed exploitation on March 18 and gave federal agencies three days to comply.
If your organization runs SharePoint Server 2016, 2019, or Subscription Edition, you need to verify the January patch is applied and confirm the server is not exposed in ways you do not expect.
And if you have not had a third party verify your environment recently, this is a good reason to schedule one. Not because of this specific CVE, but because of the next one that gets rated "less likely" right up until the moment it is not.
Know What You Have Before an Attacker Does
Our penetration tests find the unpatched systems, misconfigurations, and exposure that your internal teams miss. Clear report. Prioritized findings. No jargon.
See Our Pentest Services