- March 20, 2026
Critical Vulnerability in Microsoft SharePoint under Active Exploitation (CVE-2026-20963)
On March 18th, 2026, CISA added a Microsoft SharePoint vulnerability tracked as CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the vulnerability is now being actively exploited in the wild.
Executive Summary
On March 18th, 2026, CISA added a Microsoft SharePoint vulnerability tracked as CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the vulnerability is now being actively exploited in the wild.
The vulnerability is classified as a deserialization flaw that allows unauthenticated remote attackers to achieve remote code execution on affected SharePoint servers, potentially resulting in complete compromise of the server and hosted data. Microsoft released patches to fix this vulnerability in January 2026. Impacted versions of Microsoft SharePoint include SharePoint Server Subscription Edition, SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016.
Due to confirmed exploitation, and the sensitive nature of data hosted in SharePoint, Beazley Security strongly recommends organizations immediately patch affected SharePoint versions.
Affected Systems or Products
Product | Affected Versions | Fixed Version |
Microsoft SharePoint Server Subscription Edition | Prior to 16.0.19127.20442 | 16.0.19127.20442 |
Microsoft SharePoint Enterprise Server 2016 | Prior to 16.0.10417.20083 | 16.0.10417.20083 |
Microsoft SharePoint Server 2019 | Prior to 16.0.5535.1001 | 16.0.5535.1001 |
Mitigations / Workarounds
Given the sensitive nature of SharePoint data and confirmed active exploitation of CVE-20216-20963, organizations should prioritize patching with the available January 2026 fixes provided by Microsoft. If patching is not immediately possible, risk may be reduced by:
Restricting network access to affected SharePoint servers from the internet and other untrusted sources.
Following best practice network segmentation to isolate vulnerable SharePoint servers from other sensitive internal resources, which limits potential for lateral movement if compromised.
Deploying Web Application Firewalls (WAFs) to detect and block attacks targeting vulnerable systems.
Patches
Patches are available through the “Security Updates” section within Microsoft’s Security Response Center (MSRC) and can be located toward the bottom of this website.
Microsoft originally released fixes as part of its January 2026 “Patch Tuesday” release cycle.
Indicators of Compromise
Neither CISA nor Microsoft have publicly released details about indicators of compromise or attack. The identity or attribution of threat actors exploiting this vulnerability have also not been publicly disclosed at the time of this writing.
Prior critical SharePoint vulnerabilities such as “ToolShell” have been targeted by state-sponsored groups and ransomware operators, who deployed and weaponized web shells on affected systems.
Given the lack of public indicators, defenders can watch for the following behaviors common to deserialization attacks against SharePoint servers:
Unexpected processes spawned by SharePoint worker processes, such as w3wp.exe launching system tools like cmd.exe, powershell.exe, or net.exe.
Malicious webshell files commonly appended with .aspx, .ashx, or .asmx, indicating post-exploitation activity and persistence.
Other unexpected or unauthorized files appearing on vulnerable SharePoint servers, specifically in SharePoint web directories.
Technical Details
CVE-2026-2093 is classified as a deserialization vulnerability affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This flaw allows an unauthenticated remote attacker to send a specially crafted serialized payload to a vulnerable SharePoint endpoint, resulting in remote code execution on the hosting server.
If successfully exploited, executed code is expected to run under the security context of the SharePoint application process, granting the attacker ability to read and write files to the server, interact with connected resources, and deploy additional payloads in attempt to establish persistence.
Active exploitation has been confirmed in the wild, and SharePoint has a documented history of being targeted by nation-state actors and opportunistic ransomware operators.
Given that SharePoint commonly serves as a central repository for sensitive information, Beazley Security strongly recommends that affected organizations apply provided January 2026 fixes immediately.
How Beazley Security is responding
Beazley Security is monitoring client environments through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.