Attackers are exploiting a critical remote code execution (RCE) vulnerability in Microsoft SharePoint that Microsoft patched two months ago but many organizations have yet to apply.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on March 18, confirming that real-world attacks are underway.
The vulnerability, tracked as CVE-2026-20963, carries a CVSS score of 9.8, which is essentially as critical as it gets. It affects Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
The flaw stems from how SharePoint handles serialized data — a process where the server converts structured information back into live objects in memory. SharePoint does not properly validate incoming data before using it, so an attacker on the network can send a specially crafted request that causes the server to execute malicious code.
Critically, an unauthenticated attacker can inject and execute arbitrary code remotely on the SharePoint Server without requiring user interaction. There is no need for a password, no need to trick an employee into clicking a link — just a network connection to a vulnerable server.
Once the payload reaches the deserialization routine, SharePoint reconstructs the object in memory and unknowingly executes the embedded logic. This execution occurs within the SharePoint worker process (w3wp.exe) and inherits the permissions of the SharePoint service account. From there, attackers can deploy web shells, run system commands, or establish persistent access.
Déjà Vu: SharePoint as an Enterprise Gateway
This is not SharePoint's first rodeo. Back in July 2025, Microsoft patched the so-called ToolShell vulnerability (CVE-2025-53770), a critical RCE bug in on-premises SharePoint servers that Chinese attackers exploited as a zero-day, compromising more than 400 organizations.
We had already covered the original ToolShell flaw in detail here. SharePoint servers often contain valuable corporate data and can serve as gateways to the entire corporate environment, making them prime targets.
CISA's KEV catalog currently includes nine SharePoint vulnerabilities, including three from 2025 tied to the ToolShell attacks.
What You Should Do Right Now
Microsoft told SecurityWeek: "We addressed CVE-2026-20963 in our January Security Update. Customers who have installed the latest updates, or have automatic updates enabled, are already protected."
If you have not patched, do it immediately. Prioritize internet-facing SharePoint systems, enforce VPN or Zero Trust access models, and monitor for unusual processes or unexpected changes to .aspx files. Organizations running legacy SharePoint 2007, 2010, or 2013 should isolate those systems entirely — they will never receive a patch.