Unknown bad guys are exploiting yet another critical Microsoft SharePoint bug to compromise victims’ SharePoint servers, the US government has warned.
CVE-2026-20963 is a critical deserialization vulnerability in SharePoint that allows unauthenticated attackers to execute code remotely on the server without any user interaction, and Redmond fixed the issue as part of its January Patch Tuesday. At the time, the vulnerability was neither known nor exploited, according to Microsoft, which considered its exploitation “less likely”.
Fast forward to Wednesday when the U.S. Cybersecurity and Infrastructure Agency added CVE-2026-20963 to its Catalog of Known Exploited Vulnerabilities (KEV), gave federal agencies just three days to release a patch, and said it was unclear whether ransomware criminals were among those exploiting the SharePoint bug.
At the time of publication, Microsoft had not updated the security advisory to indicate that CVE-2026-20963 is actively exploited. Microsoft did not immediately respond to The register requests for information about the vulnerability, including who is abusing this CVE and for what purposes.
The Reg Readers probably remember the massive exploitation of SharePoint over the summer and fall.
In July, Microsoft fixed the so-called ToolShell vulnerability (CVE-2025-53770), a critical remote code execution bug in on-premises SharePoint servers. However, before it was patched, Chinese attackers discovered and exploited the bug as a zero-day, compromising more than 400 organizations, including the U.S. Department of Energy.
At the time, Microsoft attributed the intrusions to three China-based groups: two government-backed groups that stole sensitive IP addresses and spied on former government and military members, as well as a third criminal organization that exploited the bug to infect victims with Warlock ransomware.
In October, we learned that other Beijing crews – including Salt Typhoon – had also joined the attacks. ®