ACCORDING to CISA, a recently patched Microsoft SharePoint remote code execution vulnerability, CVE-2026-20963, has been exploited in the wild. Microsoft outlined the flaw as a critical RCE (CVSS 9.8) enabled by deserialisation of untrusted data and noted the issue affects SharePoint Server 2016, 2019 and Subscription Edition, with the vulnerability disclosed on 13 January 2026 and patched in January 2026 Patch Tuesday updates.
CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog on 18 March, with agencies instructed to address it by 21 March. Microsoft updated its advisory on 17 March but did not indicate active exploitation, and there is no public information about ongoing attacks at present. The KEV catalog currently lists nine SharePoint vulnerabilities, including three disclosed in 2025 linked to the ToolShell attacks.