CISA Adds Actively Exploited Microsoft SharePoint RCE to KEV Catalog
CISA added CVE-2026-20963, a Microsoft SharePoint deserialization flaw, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The vulnerability allows an unauthorized remote attacker to execute arbitrary code over the network by sending crafted serialized data that SharePoint improperly deserializes, creating a pre-authentication remote code execution path. Reporting indicates the specific threat actors behind the attacks have not been publicly identified, but the flaw affects a widely deployed enterprise collaboration platform that often stores sensitive internal documents and communications.
The KEV entry triggered urgent remediation requirements, including a March 21, 2026 deadline for FCEB agencies under Binding Operational Directive 22-01. Additional reporting notes that the same KEV update also included vulnerabilities in Wing FTP Server and Synacor Zimbra Collaboration Suite, but the SharePoint issue stands out because of its likely value for initial access brokers and ransomware affiliates seeking enterprise footholds. Organizations using SharePoint should treat internet-exposed systems as high priority for patching and review for signs of compromise given confirmed in-the-wild exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA adds Wing FTP and Zimbra flaws to the KEV catalog
In the same March 2026 KEV update, CISA also added CVE-2025-47813 in Wing FTP Server and CVE-2025-66376 in Synacor Zimbra Collaboration Suite, confirming active exploitation of both vulnerabilities. The Wing FTP issue is an information disclosure flaw that can support exploitation chains, while the Zimbra issue is a stored XSS bug in the Classic UI.
CISA orders federal agencies to remediate SharePoint bug by March 21
Following the KEV listing, CISA directed Federal Civilian Executive Branch agencies to patch or mitigate CVE-2026-20963 under Binding Operational Directive 22-01. The agency set a March 21, 2026 deadline, an unusually short three-day remediation window reflecting the urgency of the risk.
CISA adds CVE-2026-20963 to the KEV catalog
On March 18, 2026, CISA added the Microsoft SharePoint vulnerability CVE-2026-20963 to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation. The flaw is a deserialization issue that can allow unauthenticated remote code execution on vulnerable SharePoint servers.
Microsoft patches SharePoint flaw CVE-2026-20963
Microsoft fixed CVE-2026-20963 in its January 2026 Patch Tuesday updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. At the time, Microsoft reportedly assessed the vulnerability as less likely to be exploited and not publicly known or exploited.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CERT-EU - Critical Vulnerability in SharePoint Exploited
cert.europa.eu
Open sourceCVE-2026-20963 SharePoint RCE - Microsoft Q&A
learn.microsoft.com
Open sourceCISA Warns of Microsoft SharePoint Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceCISA adds Three Vulnerabilities to KEV Catalog - TheCyberThrone
thecyberthrone.in
Open sourceUnknown attackers exploit another critical SharePoint bug • The Register
go.theregister.com
Open sourceCISA warns of active exploitation of Microsoft SharePoint vulnerability (CVE-2026-20963) - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Microsoft SharePoint and Zimbra Vulnerabilities to KEV Catalog
**CISA** added two newly tracked flaws to its **Known Exploited Vulnerabilities (KEV)** catalog: **CVE-2026-20963** in **Microsoft SharePoint** and **CVE-2025-66376** in **Synacor Zimbra Collaboration Suite**. The SharePoint issue is a deserialization of untrusted data vulnerability, mapped to `CWE-502`, that can allow code execution over the network; CISA’s KEV entry describes it as enabling an unauthorized attacker to execute code remotely. The Zimbra issue is a stored cross-site scripting flaw in the Classic UI, mapped to `CWE-79`, in which attackers can abuse CSS `@import` directives in email HTML. CISA’s KEV update requires federal civilian executive branch agencies to remediate the SharePoint flaw by **2026-03-21** and the Zimbra flaw by **2026-04-01**, or follow applicable mitigation guidance under **BOD 22-01**. The GitHub KEV data commit confirms both additions and records the required actions as applying vendor mitigations, following cloud-service guidance where relevant, or discontinuing use if mitigations are unavailable. The reporting also notes that, while the KEV catalog is binding on federal agencies, private organizations should review the catalog and prioritize these vulnerabilities because CISA has identified them as actively exploited.
Mar 22, 2026
CISA KEV Adds Exploited Flaws in Microsoft Excel, SharePoint, and Apache ActiveMQ
CISA updated its Known Exploited Vulnerabilities catalog to add three newly listed flaws affecting **Microsoft Office Excel**, **Microsoft SharePoint Server**, and **Apache ActiveMQ**. The additions increased the catalog total from 1,566 to 1,569 entries across two updates, with CISA identifying **`CVE-2009-0238`** as a remote code execution vulnerability in Excel, **`CVE-2026-32201`** as an improper input validation spoofing issue in SharePoint Server, and **`CVE-2026-34197`** as an improper input validation flaw in ActiveMQ that can enable code injection. CISA assigned federal remediation deadlines of **2026-04-28** for the Excel and SharePoint entries and **2026-04-30** for the ActiveMQ entry. The catalog records indicate that known ransomware use is **unknown** for all three vulnerabilities, while the ActiveMQ listing references both an Apache security advisory and the NVD entry, underscoring active exploitation concerns for widely deployed enterprise software and messaging infrastructure.
Apr 16, 2026
Microsoft SharePoint Flaws Expose Internet-Facing Servers to Spoofing and RCE Risk
More than **1,370 internet-facing Microsoft SharePoint servers** were reported exposed to active exploitation of **`CVE-2026-32201`**, a spoofing vulnerability affecting SharePoint Server 2016, 2019, and Subscription Edition. Microsoft disclosed the flaw in April and CISA added it to the **Known Exploited Vulnerabilities** catalog the same day, underscoring the urgency for defenders. Although Microsoft scored the bug at **CVSS 6.5**, the risk is elevated because it can be exploited **remotely without authentication** against exposed on-premises deployments, potentially allowing attackers to impersonate users, access or alter sensitive content, steal credentials, and move laterally inside victim environments. The exposure comes amid broader concern over SharePoint security, including Microsoft's disclosure of **`CVE-2026-26106`**, a **remote code execution** vulnerability in SharePoint Server, and earlier reporting that a **China-linked threat actor** was involved in SharePoint attacks, according to Mandiant. The concentration of exposed systems was highest in the **United States**, and the combined reporting points to sustained attacker interest in SharePoint as a route into enterprise networks. Organizations were urged to apply Microsoft's available updates, reduce direct internet exposure of SharePoint servers, and closely monitor authentication and document-access activity for signs of compromise.
May 25, 2026