Critical Remote Code Execution Vulnerability in Microsoft SharePoint (CVE‑2026‑20963) Actively Exploited
What Happened – A critical deserialization flaw (CVE‑2026‑20963) in Microsoft SharePoint Server 2016, 2019 and Subscription Edition was patched in January 2026, but CISA has confirmed it is already being exploited in the wild. The vulnerability allows unauthenticated attackers to achieve remote code execution on unpatched servers.
Why It Matters for TPRM –
- SharePoint is a core collaboration platform for many third‑party vendors and their customers; a compromise can expose internal documents, credentials, and downstream services.
- Exploitation does not require prior access, so any organization still running vulnerable versions is at immediate risk.
- Federal directives (CISA BOD 22‑01) mandate rapid remediation, highlighting the urgency for all supply‑chain partners.
Who Is Affected – Enterprises across all sectors that host on‑premises SharePoint Server 2016/2019/Subscription Edition, especially those still operating legacy, end‑of‑support versions (2007‑2013).
Recommended Actions –
- Verify that all SharePoint instances are patched to the January 2026 release or later.
- Decommission or upgrade any end‑of‑support SharePoint versions.
- Conduct a rapid inventory of SharePoint assets within your vendor ecosystem and confirm remediation status.
- Review network segmentation and monitoring for signs of exploitation (unexpected outbound connections, anomalous processes).
Technical Notes – The flaw is a low‑complexity deserialization of untrusted data that leads to remote code execution without authentication. No CVE‑2025‑40551 involvement. Exploitation has been observed in federal networks; no ransomware linkage reported yet. Source: BleepingComputer