ScreenConnect Servers Exposed & Microsoft SharePoint RCE (CVE‑2026‑20963) Actively Exploited
What Happened – Researchers identified publicly reachable ScreenConnect (ConnectWise Control) servers that were left open to unauthenticated access, providing a foothold for attackers. Separately, CISA added CVE‑2026‑20963 – a remote‑code‑execution flaw in Microsoft SharePoint – to its KEV catalog after confirming active exploitation in the wild.
Why It Matters for TPRM –
- Unprotected remote‑support endpoints can become entry points to client networks, jeopardizing the confidentiality of data handled by third‑party service providers.
- SharePoint is a common collaboration platform for many enterprises; an actively exploited RCE can lead to widespread data breach or ransomware deployment across multiple supply‑chain partners.
Who Is Affected –
- SaaS/remote‑support vendors (ScreenConnect/ConnectWise Control) and their MSP customers.
- Organizations of any size that host Microsoft SharePoint on‑premises or via Microsoft 365, spanning finance, healthcare, government, and technology sectors.
Recommended Actions –
- Inventory all ScreenConnect instances; enforce strong authentication, restrict IP ranges, and apply latest patches.
- Verify SharePoint environments are running the January 2026 security update that mitigates CVE‑2026‑20963; if not, patch immediately.
- Conduct a rapid risk assessment of any third‑party services that integrate with these platforms and update contractual security clauses.
Technical Notes –
- ScreenConnect: Misconfiguration left the web console exposed without credential checks; attackers can enumerate endpoints and upload malicious payloads.
- SharePoint (CVE‑2026‑20963): RCE via crafted HTTP request to the
/vti_bin/owssvr.dllendpoint; exploits allow arbitrary code execution under the web‑application context. - No public CVE for the ScreenConnect exposure; the issue is a classic “open server” misconfiguration.
Source: Help Net Security