CISA adds exploited Microsoft SharePoint flaw to KEV catalog and urges fast action

CISA has added a Microsoft SharePoint vulnerability, tracked as CVE-2026-20963, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The agency added the flaw on March 18, 2026 and set a remediation deadline of March 21, 2026 for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01.

The flaw affects Microsoft SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. NVD describes it as a deserialization of untrusted data issue that allows code execution over a network, while Microsoft rates it 8.8 on CVSS v3.1.

One important detail changes how admins should read this story. The sample article says the bug allows unauthenticated remote code execution, but Microsoft and NVD describe it as an authorized attacker issue, which means the official advisory requires privileges, not zero credentials. CISA still treats it as urgent because attackers are already exploiting it.

What CISA said

CISA said organizations should apply vendor mitigations, follow BOD 22-01 guidance for cloud services where relevant, or stop using the product if mitigations are unavailable. The KEV entry does not name the threat actor and does not say whether the flaw has been used in ransomware attacks.

For federal agencies, the deadline is especially tight. The KEV catalog lists March 21, 2026 as the due date for action, which gives defenders only a few days to reduce exposure.

What the vulnerability does

According to NVD, CVE-2026-20963 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint. In practical terms, this means SharePoint can process unsafe serialized data in a way that lets an attacker execute code over the network.

Microsoft’s published CVSS vector shows PR:L, which means low privileges are required. That makes the flaw serious, but it does not support claims of completely unauthenticated exploitation based on the official records now available.

Affected SharePoint versions

These affected configurations appear in NVD’s public entry for CVE-2026-20963.

Why this matters

SharePoint often stores internal documents, collaboration data, and business workflows, so code execution on a SharePoint server can become a gateway to broader compromise. Even when a flaw requires some level of access, active exploitation means attackers have already found ways to make it useful in real environments. That is why KEV inclusion matters more than the CVSS score alone.

The KEV catalog serves as one of the clearest public signals that defenders should move immediately. CISA only adds vulnerabilities to KEV when it has evidence of exploitation in the wild, and agencies must then remediate within the timeline CISA sets.

What administrators should do now

• Check whether any SharePoint Server 2016, 2019, or Subscription Edition deployments remain exposed.
• Review Microsoft’s advisory and apply the available security updates or mitigations.
• Follow CISA’s KEV guidance and accelerated remediation timeline.
• If mitigations are unavailable, consider taking the vulnerable product out of service until you can secure it.

Quick facts

Source data comes from CISA and NVD.

FAQ