CISA Warns: Critical SharePoint RCE Flaw Now Actively Exploited in Attacks

CISA Adds Critical SharePoint RCE Flaw (CVE-2026-20963) to Known Exploited Vulnerabilities Catalog

CRITICAL
March 14, 2026
6m read
VulnerabilityPatch ManagementCyberattack

Related Entities

CVE Identifiers

CVE-2026-20963
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1505.003Persistence

Server Software Component: Web Shell

T1059.001Execution

Command and Scripting Interpreter: PowerShell

T1041Exfiltration

Exfiltration Over C2 Channel

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning that a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-20963, allows an unauthenticated attacker to execute arbitrary code on a vulnerable server, posing a severe threat to data confidentiality, integrity, and availability. Due to evidence of active exploitation, CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by March 21, 2026. Given the prevalence of SharePoint for storing sensitive corporate data, all organizations using affected versions are strongly advised to apply the necessary security updates immediately to prevent compromise.

Vulnerability Details

  • CVE ID: CVE-2026-20963
  • CVSS 3.1 Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None

The vulnerability is caused by the insecure deserialization of untrusted data within SharePoint Server. An attacker can send a specially crafted request to a vulnerable server to trigger the flaw and achieve remote code execution. The fact that it requires no authentication and no user interaction makes it 'wormable' and extremely dangerous, allowing for rapid, automated attacks against any vulnerable, internet-facing server.

Affected Systems

The vulnerability affects the following Microsoft products:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition

Microsoft released a patch for this vulnerability during its January 2026 Patch Tuesday cycle. At that time, it was not known to be exploited.

Exploitation Status

As of March 18, 2026, this vulnerability is actively exploited in the wild. CISA's addition of CVE-2026-20963 to the KEV catalog serves as official confirmation of this status. While details of the attacks and the threat actors involved have not been publicly disclosed, the confirmation of active exploitation dramatically increases the urgency for all organizations to patch. Unpatched, internet-facing SharePoint servers are at immediate risk of compromise.

Impact Assessment

A successful exploit of CVE-2026-20963 gives an attacker full control over the compromised SharePoint server. This can lead to several devastating outcomes:

  • Data Theft: Attackers can access and exfiltrate all data stored on the SharePoint server, which often includes sensitive documents, intellectual property, and internal communications.
  • Ransomware Deployment: The compromised server can be used as a beachhead to deploy ransomware across the internal network.
  • Lateral Movement: Attackers can use their foothold on the SharePoint server to move laterally to other systems within the corporate network, such as domain controllers.
  • Web Shell Installation: A common follow-on action is the installation of a web shell for persistent access to the server.

Cyber Observables for Detection

To hunt for exploitation of CVE-2026-20963, security teams should look for:

Type Value Description
process_name w3wp.exe The SharePoint worker process (w3wp.exe) spawning suspicious child processes like cmd.exe, powershell.exe, or rundll32.exe.
file_path C:\Program Files\Common Files\microsoft shared\Web Server Extensions\ Creation of unexpected files (e.g., .aspx, .php) in SharePoint web directories, which could indicate a web shell.
url_pattern Suspicious POST requests Look for unusual POST requests to SharePoint endpoints, particularly those containing long, serialized data strings.
log_source ULS Logs SharePoint's own ULS logs may contain error messages or stack traces related to deserialization failures during an exploit attempt.

Detection Methods

  1. EDR Monitoring: Use an EDR solution to monitor the w3wp.exe process on SharePoint servers. Alert on any child process anomalies, as this is a primary indicator of successful RCE.
  2. File Integrity Monitoring (FIM): Deploy FIM on SharePoint web directories to immediately detect the creation or modification of files, which could be a web shell.
  3. WAF/Log Analysis: Analyze web server and WAF logs for requests that match known proof-of-concept exploit patterns for this CVE. Monitor for requests from unusual user-agents or suspicious IP addresses targeting SharePoint servers. Reference D3FEND's Network Traffic Analysis.

Remediation Steps

  1. Patch Immediately: The only effective remediation is to apply the security updates released by Microsoft in January 2026. Given the active exploitation, this should be treated as an emergency change. This is the core of Software Update.
  2. Assume Compromise: For any unpatched, internet-facing SharePoint server, organizations should assume it may already be compromised. Initiate a hunt for the observables listed above to search for signs of post-exploitation activity.
  3. Restrict Access: If immediate patching is not possible, restrict access to the SharePoint server at the network level. Block all incoming traffic from the internet if the server is not required to be public-facing. If it is, use a WAF with virtual patching rules to block exploit attempts, though this is a temporary measure and not a substitute for patching.

Timeline of Events

1
January 14, 2026
Microsoft releases a patch for CVE-2026-20963 as part of its January Patch Tuesday.
2
March 14, 2026
This article was published
3
March 18, 2026
CISA adds CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.
4
March 21, 2026
Deadline for U.S. Federal Civilian Executive Branch agencies to apply the patch for CVE-2026-20963.

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the security update from Microsoft is the primary and most effective way to remediate this vulnerability.

Mapped D3FEND Techniques:

D3-SU

Filter Network Traffic

M1037enterprise

Restricting internet access to SharePoint servers or using a WAF can provide a layer of defense if patching is delayed.

Behavior Prevention on Endpoint

M1040enterprise

Using an EDR to monitor for anomalous process creation from the SharePoint worker process (w3wp.exe) can detect successful exploitation.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The immediate and highest-priority action for all organizations running affected versions of Microsoft SharePoint Server is to apply the security update that patches CVE-2026-20963. This vulnerability is critical (9.8), unauthenticated, and now confirmed by CISA to be under active attack. This is an emergency patching scenario. Do not wait for a standard patch cycle. The risk of complete server compromise, data theft, and ransomware deployment is extremely high. Use enterprise patch management systems to deploy the update and vulnerability scanners to verify that all SharePoint servers have been successfully patched. For internet-facing servers, this action should have been completed in January; any delay now constitutes an unacceptable risk.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

While patching is underway, and for post-patch threat hunting, security teams must focus on process analysis on their SharePoint servers. A successful exploit of CVE-2026-20963 will result in the SharePoint worker process, w3wp.exe, spawning an anomalous child process (e.g., cmd.exe, powershell.exe). Configure your Endpoint Detection and Response (EDR) solution with a high-severity alert for this specific behavior on any server running SharePoint. This is a very high-fidelity indicator of compromise. Hunt retroactively through EDR logs for any past instances of this activity to determine if a compromise occurred before the patch was applied. This detective control is crucial for identifying a breach and initiating incident response.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1050
D3FEND

As a compensating control, especially if patching is delayed, use a Web Application Firewall (WAF) to protect your SharePoint servers. Work with your WAF vendor to obtain and apply a 'virtual patch' or signature that can detect and block exploit attempts for CVE-2026-20963. Additionally, if your SharePoint server does not need to be accessible from the entire internet, implement strict network firewall rules to limit inbound access to only trusted IP ranges (e.g., corporate offices, VPN clients). This reduces the attack surface and limits the number of potential attackers who can reach the vulnerable service. However, these are temporary measures and not a substitute for applying the official security update from Microsoft.

Sources & References

CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability
SecurityWeek (securityweek.com) March 19, 2026
Critical Microsoft SharePoint flaw now exploited in attacks
BleepingComputer (bleepingcomputer.com) March 19, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

SharePointVulnerabilityRCECISAKEVPatch Tuesday

📢 Share This Article

Help others stay informed about cybersecurity threats