CVE-2026-20963: critical SharePoint flaw under active attack despite January patch

A critical deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2026-20963, is being actively exploited by attackers right now. The flaw allows unauthenticated remote code execution with no user interaction required. An attacker who knows the target's SharePoint URL can send a crafted request and execute arbitrary code on the server. Microsoft patched it in January, but a large number of enterprise deployments remain unpatched, and that gap is exactly what attackers are working through.

The combination of factors here makes this worse than most. No authentication needed. No phishing link to click. No social engineering. The attacker just needs network access to a vulnerable SharePoint server. In environments where SharePoint is exposed to the internet, which is common for organizations using it as an intranet portal or file sharing platform, the attack surface is wide open.

What deserialization vulnerabilities actually do

Deserialization is the process by which an application takes data, often received over a network, and converts it back into an object in memory. When that process lacks proper validation, an attacker can send maliciously crafted data that the application deserializes into executable code. The result is remote code execution, which means the attacker can run commands on the server as if they were sitting at the keyboard.

Deserialization flaws are not new. They have been a recurring problem in enterprise Java and .NET applications for over a decade. CVE-2026-20963 follows the same general pattern that made earlier SharePoint vulnerabilities like CVE-2019-0604 so damaging. That 2019 flaw was also exploited widely in the months after patching because organizations could not move fast enough to apply the fix across all their deployments.

Why enterprises are still running the vulnerable version

SharePoint is not a simple web application you update with a click. In most large organizations, it sits at the center of document management, team collaboration, and internal workflows. Patching it requires scheduled downtime, pre-patch testing to verify that custom integrations still work, and sign-off from multiple teams including IT, legal, and operations. That process can easily take four to eight weeks even when a team is actively working on it.

Microsoft released the patch on January 14, 2026, as part of its regular Patch Tuesday cycle. For organizations with disciplined patching schedules, that is enough lead time. But a significant portion of enterprises operate SharePoint on-premises rather than through SharePoint Online, and on-premises deployments require manual patch application. Cloud-hosted versions through Microsoft 365 were updated automatically. The organizations at highest risk right now are those running on-premises SharePoint Server 2019 or SharePoint Server Subscription Edition without applying the January cumulative update.

What attackers are doing once they get in

Remote code execution on a SharePoint server gives an attacker a foothold inside the corporate network. From there, the typical next steps involve deploying a web shell for persistent access, moving laterally to other systems on the same network segment, and attempting privilege escalation to reach domain controllers or data stores. Because SharePoint servers often hold sensitive documents and are trusted by other internal systems, they make a high-value starting point for a broader intrusion.

The Cybersecurity and Infrastructure Security Agency added CVE-2026-20963 to its Known Exploited Vulnerabilities catalog, which legally requires U.S. federal civilian agencies to patch by a specified deadline. Private sector organizations are not bound by that requirement, but the catalog listing is a reliable signal that real-world exploitation is confirmed and ongoing, not theoretical.

Immediate steps for SharePoint administrators

The first step is straightforward: apply the January 2026 cumulative update for SharePoint Server. Microsoft's Security Update Guide lists the exact KB article numbers for each affected version. For organizations that cannot patch immediately due to change management constraints, the interim options include blocking external access to SharePoint at the firewall, enabling web application firewall rules that detect deserialization attack patterns, and reviewing SharePoint server logs for signs of exploitation, specifically unusual POST requests to the /_layouts/ or /_api/ endpoints.

Security teams should also check for newly created files in the SharePoint server's web root, which is a common indicator of web shell installation. Tools like Microsoft Defender for Endpoint can detect known web shell signatures, but custom or obfuscated shells may evade automated detection. Manual review of recently modified files on the server is worth the time if exploitation is suspected.

The patch-to-exploitation window for this vulnerability is already closing on two months. Organizations that have not yet applied the January update should treat this as a priority item, not a scheduled maintenance task. CISA's federal patching deadline for CVE-2026-20963 is set for March 2026, giving a concrete external reference point for teams needing to escalate internally.