CISA has added CVE-2026-20963, a Microsoft SharePoint deserialization of untrusted data vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog after confirming it has been exploited in the wild. According to CISA, the flaw can allow an unauthorized attacker to execute code over a network. For organizations that still rely on on-premises SharePoint, this is the kind of issue that moves from “patch soon” to patch now.
What happened?
In CISA’s KEV entry, Microsoft SharePoint is listed with Date Added: 2026-03-18. The agency describes the vulnerability plainly: it is a deserialization flaw that can lead to remote code execution. When CISA places a product in KEV, it means defenders should assume real-world threat actors are already using it and prioritize remediation accordingly.
Why this matters to businesses
- SharePoint often sits close to sensitive data. Document repositories, internal workflows, HR files, contracts, and operational records may all be exposed if a server is compromised.
- Remote code execution raises the stakes. Attackers may be able to run arbitrary code, establish persistence, steal data, or pivot deeper into the network.
- Public-facing systems are especially urgent. Any exposed SharePoint deployment should be reviewed immediately for internet accessibility and signs of abnormal activity.
What IT teams should do right now
- Identify affected SharePoint systems. Confirm every production, staging, and legacy deployment.
- Apply Microsoft’s vendor guidance immediately. CISA’s KEV action is clear: apply mitigations per vendor instructions or discontinue use if mitigations are unavailable.
- Restrict exposure. If possible, remove direct internet access, enforce VPN-only administration, and tighten firewall rules while patching is underway.
- Review logs and endpoint telemetry. Look for unusual web requests, administrative activity, new processes on the server, suspicious outbound connections, and privilege escalation attempts.
- Validate backups and recovery. If exploitation has already happened, recovery speed matters as much as patch speed.
Executive takeaway
This is a reminder that collaboration platforms are not low-risk infrastructure. They are high-value business systems that often contain the exact information attackers want. If your organization runs SharePoint on-premises, this KEV listing deserves immediate attention from both IT leadership and security operations.
How QuickMSP can help
QuickMSP helps businesses rapidly assess exposure, validate patch status, harden externally accessible services, and review suspicious activity after high-priority vulnerability alerts. If your team is unsure whether your SharePoint environment is exposed or properly remediated, now is the time to verify—not assume.