Critical Vulnerability in SharePoint - Exploitation Alert
Basically, there's a serious flaw in SharePoint that hackers can use to take control of systems.
A critical vulnerability in Microsoft SharePoint has been exploited, allowing unauthenticated attackers to execute code. Organizations using affected versions must update immediately to safeguard their systems. This flaw poses a serious risk to data security and operational integrity.
The Flaw
On March 17, 2026, Microsoft issued an update regarding a significant remote code execution (RCE) vulnerability in SharePoint, identified as CVE-2026-20963. This vulnerability has a CVSS score of 9.8, indicating its critical nature. The issue arises from the deserialization of untrusted data, which allows attackers to execute arbitrary code on affected systems without authentication. This means that anyone, even without valid credentials, can exploit this flaw if they target vulnerable SharePoint installations.
The vulnerability was included in the CISA's Known Exploited Vulnerabilities (KEV) catalogue shortly after its discovery. This highlights the urgency of addressing the issue, as it has been recognized as a significant threat to organizations using SharePoint.
What's at Risk
The affected products include Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. Organizations utilizing these versions are at risk of unauthorized access and potential data breaches. The implications of this vulnerability can be severe, leading to compromised systems and loss of sensitive information.
Given the nature of remote code execution vulnerabilities, attackers can potentially gain full control over the affected servers. This could lead to further exploitation within the network, making it crucial for organizations to take immediate action.
Patch Status
Microsoft has strongly advised all users to update their SharePoint servers as soon as possible, especially those that are internet-facing. The urgency is underscored by the fact that similar vulnerabilities have been exploited in the past, as seen in the 2025 SharePoint exploitation campaign.
In addition to addressing this specific vulnerability, Microsoft has released updates for three other RCE flaws in SharePoint. Organizations are encouraged to prioritize these updates to mitigate risks effectively. CERT-EU has also recommended that IT administrators take necessary remediation actions to secure their systems.
Immediate Actions
To protect against the exploitation of this vulnerability, organizations should:
- Update SharePoint servers immediately, focusing on those exposed to the internet.
- Enable the Antimalware Scan Interface (AMSI) in full mode.
- Deploy an Endpoint Detection and Response (EDR) solution.
- Rotate SharePoint Server ASP.NET machine keys and restart IIS using iisreset.exe.
- Conduct a compromise assessment on all internet-facing assets.
By following these steps, organizations can significantly reduce their risk of falling victim to attacks leveraging this critical vulnerability. The proactive measures taken today can safeguard sensitive data and maintain the integrity of IT infrastructures.
CERT-EU Security Advisories