A critical Microsoft SharePoint vulnerability disclosed in January has been exploited in the wild. The confirmation comes from the US Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday.
CVE-2026-20963, a remote code execution (RCE) SharePoint vulnerability Microsoft fixed in January 2026, is being exploited by attackers. While security researchers have confirmed the ongoing attacks, the specific advanced persistent threat (APT) groups behind these campaigns currently remain unidentified. CISA notes that the vulnerability's involvement in active ransomware campaigns is presently unknown.
The timeline exposes a troubling vulnerability management problem. At the time of the release of the fix, Microsoft judged the vulnerability as "less likely" to be exploited, though it still urged organisations using SharePoint to upgrade to a fixed version as soon as possible. Yet someone was already working to exploit it. The fact that unknown threat actors detected and weaponised this flaw within weeks of Microsoft's patch suggests either sophisticated reconnaissance capabilities or pure opportunism targeting unpatched systems.
CVE-2026-20963 affects Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. It is caused by deserialization of untrusted data and may allow an unauthorized attacker to achieve RCE through a low-complexity attack. "In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft explained in the related security advisory published on January 13, 2026.
No user interaction is required for CVE-2026-20963 exploitation. That's the critical distinction that elevates this threat. SharePoint installations house sensitive government documents, corporate strategy, intellectual property, and employee personal data. An attacker who gains code execution can steal everything, deploy malware, or establish persistent backdoors for lateral movement into wider networks.
The remediation window is impossibly tight by design. All vulnerable instances of Microsoft SharePoint must be completely patched or mitigated by March 21, 2026. That represents a deliberate policy choice: CISA prioritises speed over coordination. The logic is sound for critical infrastructure. Once a vulnerability is confirmed exploited, every additional day increases the risk that a compromised system will be leveraged for espionage, fraud, or extortion.
Federal agencies face mandatory deadlines. Private-sector organisations are strongly encouraged to adopt this aggressive timeline to protect their digital infrastructure. Administrators must immediately review Microsoft's official security advisories and apply all available security updates. The language is diplomatic. The reality is blunt: those who delay will be exploited.
While Microsoft updated its CVE-2026-20963 advisory this Tuesday, the company has yet to flag it as exploited in the wild. That discrepancy matters. Microsoft's own security messaging trails behind CISA's threat intelligence, creating a credibility gap. Organisations checking the vendor's guidance for exploitation status would find no urgent warning, yet CISA's addition to the KEV catalog signals that threat actors are actively targeting their systems right now.
This is the second major SharePoint crisis in nine months. CISA's KEV catalog currently includes nine SharePoint vulnerabilities, including three disclosed in 2025 and associated with the ToolShell attacks. The 2025 ToolShell campaign compromised over 400 organisations including US government agencies. SharePoint has become a persistent vulnerability engine for sophisticated attackers, whether Chinese intelligence services, criminal ransomware gangs, or unknown opportunists.
The stakes are institutional. SharePoint stores the artefacts of government and enterprise decision-making. Loss of control over these systems means loss of knowledge about strategy, operations, and vulnerabilities. Because SharePoint environments typically house highly sensitive enterprise documents and internal communications, a successful remote code execution attack could result in a devastating corporate data breach.
If immediate patching is technically impossible within the environment, organisations must apply vendor-supplied mitigations. If no alternative mitigations are available, CISA explicitly advises network defenders to discontinue use of the vulnerable product entirely until a permanent fix can be safely implemented. That last option reflects the severity: if you cannot patch and cannot mitigate, the safest choice is to turn off SharePoint entirely until you can patch safely.
The practical challenge for many organisations is daunting. SharePoint integrates deeply into enterprise infrastructure. Patching may require testing, scheduling downtime, and coordinating across multiple teams. Three days is extraordinarily short for that process. Yet waiting is not an option; the attackers are not waiting.