A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) warned.
Tracked as CVE-2026-20963, this security flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Successful exploitation enables threat actors without privileges to achieve remote code execution on unpatched servers in low-complexity attacks that exploit a deserialization of untrusted data weakness.
“In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft said when it patched the vulnerability as part of its January 2026 Patch Tuesday.
While Microsoft updated its CVE-2026-20963 advisory this Tuesday, the company has yet to flag it as exploited in the wild.
However, CISA added the security flaw to its catalog of actively exploited vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by Saturday, March 21.
FCEB agencies are non-military U.S. executive branch agencies, such as the Department of Homeland Security, the Department of Energy, the Department of Justice, and the Department of State.
CISA didn’t provide further information on these ongoing CVE-2026-20963 attacks and has yet to find any evidence that it’s being exploited in ransomware attacks.
Even though BOD 22-01 targets only federal agencies, CISA “strongly” urged all network defenders to patch their devices against exploitation of CVE-2025-40551 as soon as possible.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
On Wednesday, CISA also ordered federal agencies to patch a stored cross-site scripting (XSS) weakness in the Zimbra Collaboration Suite (ZCS) that is now exploited in the wild.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
