- Blog
- SharePoint
- Post
CISA Warns Hackers Are Actively Exploiting Critical Microsoft SharePoint Flaw
A critical, unpatched SharePoint vulnerability is being actively exploited, prompting urgent warnings from CISA and security experts.
Key Takeaways:
- A critical vulnerability allows attackers to take over SharePoint servers without authentication.
- The flaw affects multiple SharePoint versions.
- Organizations should patch immediately and upgrade unsupported systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has warned that a critical vulnerability in Microsoft SharePoint that was fixed earlier this year is now being actively abused by attackers. This security flaw could allow hackers to compromise victims’ SharePoint servers.
CVE‑2026‑20963 is a critical security flaw in Microsoft SharePoint that allows attackers to take over vulnerable servers without needing to authenticate first. The vulnerability stems from improper handling of untrusted data, which can be exploited to remotely execute malicious code on exposed SharePoint systems.
Microsoft patch issued, but many systems remain at risk
Microsoft released security patches to address this security flaw as part of its January 2026 Patch Tuesday update. However, this vulnerability has since been observed in real-world attacks. It impacts SharePoint Server 2016, 2019, and the Subscription Edition, along with several older, unsupported versions that no longer receive security updates.
CISA has recently added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, and the U.S. federal civilian agencies have been directed to secure or mitigate vulnerable systems by March 21, 2026. As of this writing, Microsoft has not updated the security advisory to indicate that CVE-2026-20963 is under active exploitation.
Organizations urged to patch and restrict SharePoint exposure
Organizations should immediately apply Microsoft’s January 2026 security updates to all supported SharePoint Server versions. For environments still running unsupported SharePoint versions, organizations are strongly advised to upgrade to a supported release or retire the system entirely. CISA has emphasized that known exploited vulnerabilities should be prioritized within routine vulnerability‑management programs, even outside government environments.
Additionally, organizations should limit external exposure of SharePoint servers by restricting internet access where possible, applying network‑level controls such as firewalls and segmentation, and closely monitoring logs for signs of suspicious activity. It’s also recommended to follow Microsoft’s published mitigation guidance, enforce the principle of least privilege, and maintain strong incident‑response readiness to reduce the likelihood of successful exploitation further.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...