CISA has added CVE‑2026‑20963 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft SharePoint and is titled “Microsoft SharePoint Deserialization of Untrusted Data Vulnerability”. It enables an unauthorised attacker to execute code over a network by deserialising crafted data.
The vulnerability is a remote code execution flaw caused by insecure deserialization of untrusted input. An attacker can send a specially crafted request to a vulnerable SharePoint server, causing arbitrary code execution in the context of the SharePoint service. The CVSS v3.1 base score is 8.8, classifying it as HIGH severity. Microsoft has released a patch that addresses the issue, and the advisory is available on the Microsoft Security Response Center website.
Because the CVE appears in the KEV list, active exploitation has been confirmed in the wild. At present there is no publicly reported ransomware campaign leveraging this vulnerability, but the existence of real‑world attacks obliges organisations to act quickly. CISA has set a remediation deadline of 21 March 2026 for affected Federal Civilian Executive Branch (FCEB) agencies.
CISA’s required remediation is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” FCEB agencies must implement the Microsoft‑provided patch or apply the recommended mitigations by the deadline. All other organisations should review their SharePoint deployments, confirm whether the patch has been applied, and deploy the mitigations without delay.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-20963 and the CISA KEV catalogue.