Changeflow GovPing Data Privacy & Cybersecurity CISA KEV: Microsoft SharePoint RCE Vulnerabilit...
Urgent Notice Added Final

CISA KEV: Microsoft SharePoint RCE Vulnerability (CVE-2026-20963)

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published March 18th, 2026
Detected March 19th, 2026
Email

Summary

CISA has added a Microsoft SharePoint remote code execution vulnerability (CVE-2026-20963) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability has a CVSS score of 8.8 and is actively exploited.

View original document View source feed page

What changed

CISA has officially added CVE-2026-20963, a critical remote code execution vulnerability in Microsoft SharePoint, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified by Microsoft Corporation and rated with a CVSS score of 8.8 (HIGH), stems from deserialization of untrusted data and allows an authenticated attacker to execute code over a network. This inclusion signifies that the vulnerability is actively exploited in the wild, posing a significant risk.

Federal agencies are mandated to apply security updates or mitigations by March 18, 2026, to protect against this threat. Other organizations using Microsoft SharePoint should prioritize patching or implementing workarounds immediately to prevent potential exploitation, which could lead to network compromise and further attacks. Failure to comply with CISA directives may result in security incidents and potential repercussions.

What to do next

  1. Apply security updates or mitigations for CVE-2026-20963 on all Microsoft SharePoint instances.
  2. Review CISA's KEV catalog for active exploitation details and recommended actions.
  3. Implement enhanced monitoring for suspicious activity related to SharePoint.

Source document (simplified)

Required CVE Record Information

CNA: Microsoft Corporation

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE 1 Total

Learn more
- CWE-502: CWE-502: Deserialization of Untrusted Data

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected from 16.0.0 before 16.0.5535.1001 Versions 1 Total

Default Status: unknown

affected

  • affected from 16.0.0 before 16.0.10417.20083 Versions 1 Total

Default Status: unknown

affected

  • affected from 16.0.0 before 16.0.19127.20442

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-19

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-01-08 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963 (2026-03-18)

Related changes

Favicon for www.cisa.gov CISA KEV: Zimbra Collaboration XSS Vulnerability CVE-2025-66376
Urgent Mar 19, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Wing FTP Server Path Disclosure Vulnerability
Priority review Mar 17, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov V8 in Chrome Vulnerable to Code Execution
Priority review Mar 14, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.commerce.alaska.gov Alaska Advisory on Email Account Scams and Cybercrime Protection
Priority review Mar 19, 2026 Alaska DBS - News and Alerts Government General
Favicon for www.nist.gov NIST CSWP 37A Automation of the Cryptographic Module Validation Program
Routine Mar 19, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.cyber.nj.gov Monroe University Data Breach Affects 320,000 Individuals
Priority review Mar 18, 2026 NJ Cybersecurity: Public Data Breaches Government General

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 18th, 2026
Compliance deadline
March 18th, 2026 (1 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Manufacturers
Geographic scope
National (US) National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Vulnerability Management Software Security

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 211 Consumer Protection 35 Courts & Legal 243 Data Privacy & Cybersecurity 59 Defense & National Security 48 Education 20 Energy 102 Environment 81 Government & Legislation 240 Healthcare 106 Housing 15 Immigration 8 Insurance 56 Labor & Employment 107 Pharma & Drug Safety 72 Securities & Markets 73 Tax 48 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.