A critical Microsoft SharePoint vulnerability, CVE-2026-20963, is now being actively exploited in the wild. The flaw enables remote code execution (RCE) and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability stems from the deserialization of untrusted data, allowing attackers to execute arbitrary code on affected SharePoint servers with minimal interaction.
Given SharePoint’s role as a central collaboration and document management platform, successful exploitation can provide attackers with a high-value foothold into enterprise environments.
Technical Details
- CVE: CVE-2026-20963
- Severity: Critical (CVSS ~9.8)
- Vulnerability Type: Deserialization of untrusted data
- Impact: Remote Code Execution
- Attack Vector: Network-based
The flaw allows attackers to inject malicious serialized objects, which are then processed by the SharePoint application. When deserialized, these objects can trigger execution of arbitrary commands on the underlying system.
In some scenarios, exploitation may be possible without authentication, significantly increasing the risk to internet-facing SharePoint servers.
Note: This flaw only impacts on-premises Microsoft SharePoint Server deployments and does not affect SharePoint Online (Microsoft 365), as the cloud service is managed and patched directly by Microsoft.
Observed Threat Activity
CISA has confirmed active exploitation in the wild and mandated remediation timelines for federal agencies.
Exploitation activity is ongoing, with unknown threat actors currently leveraging the vulnerability.
While attribution is not yet confirmed, historical SharePoint exploitation campaigns have been linked to state-sponsored espionage groups, initial access brokers, and ransomware operators
These actors typically target unpatched, internet-exposed SharePoint servers to gain initial access and expand further into the environment.
Mitigation & Recommendations
Organizations using on-premises Microsoft SharePoint Server should take immediate action:
- Apply the January 2026 security updates addressing CVE-2026-20963
- Restrict external access to SharePoint servers where possible
- Validate that no unauthorized code or webshells are present
Stay Safe. Stay Secure
OP Innovate Research Team
