CISA Adds Actively Exploited Microsoft SharePoint RCE to KEV Catalog
CISA added CVE-2026-20963, a Microsoft SharePoint deserialization flaw, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The vulnerability allows an unauthorized remote attacker to execute arbitrary code over the network by sending crafted serialized data that SharePoint improperly deserializes, creating a pre-authentication remote code execution path. Reporting indicates the specific threat actors behind the attacks have not been publicly identified, but the flaw affects a widely deployed enterprise collaboration platform that often stores sensitive internal documents and communications.
The KEV entry triggered urgent remediation requirements, including a March 21, 2026 deadline for FCEB agencies under Binding Operational Directive 22-01. Additional reporting notes that the same KEV update also included vulnerabilities in Wing FTP Server and Synacor Zimbra Collaboration Suite, but the SharePoint issue stands out because of its likely value for initial access brokers and ransomware affiliates seeking enterprise footholds. Organizations using SharePoint should treat internet-exposed systems as high priority for patching and review for signs of compromise given confirmed in-the-wild exploitation.
Timeline
Mar 19, 2026
CISA adds Wing FTP and Zimbra flaws to the KEV catalog
In the same March 2026 KEV update, CISA also added CVE-2025-47813 in Wing FTP Server and CVE-2025-66376 in Synacor Zimbra Collaboration Suite, confirming active exploitation of both vulnerabilities. The Wing FTP issue is an information disclosure flaw that can support exploitation chains, while the Zimbra issue is a stored XSS bug in the Classic UI.
Mar 18, 2026
CISA orders federal agencies to remediate SharePoint bug by March 21
Following the KEV listing, CISA directed Federal Civilian Executive Branch agencies to patch or mitigate CVE-2026-20963 under Binding Operational Directive 22-01. The agency set a March 21, 2026 deadline, an unusually short three-day remediation window reflecting the urgency of the risk.
Mar 18, 2026
CISA adds CVE-2026-20963 to the KEV catalog
On March 18, 2026, CISA added the Microsoft SharePoint vulnerability CVE-2026-20963 to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation. The flaw is a deserialization issue that can allow unauthenticated remote code execution on vulnerable SharePoint servers.
Jan 1, 2026
Microsoft patches SharePoint flaw CVE-2026-20963
Microsoft fixed CVE-2026-20963 in its January 2026 Patch Tuesday updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. At the time, Microsoft reportedly assessed the vulnerability as less likely to be exploited and not publicly known or exploited.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like register security
Related Stories
CISA Adds Microsoft SharePoint and Zimbra Vulnerabilities to KEV Catalog
**CISA** added two newly tracked flaws to its **Known Exploited Vulnerabilities (KEV)** catalog: **CVE-2026-20963** in **Microsoft SharePoint** and **CVE-2025-66376** in **Synacor Zimbra Collaboration Suite**. The SharePoint issue is a deserialization of untrusted data vulnerability, mapped to `CWE-502`, that can allow code execution over the network; CISA’s KEV entry describes it as enabling an unauthorized attacker to execute code remotely. The Zimbra issue is a stored cross-site scripting flaw in the Classic UI, mapped to `CWE-79`, in which attackers can abuse CSS `@import` directives in email HTML. CISA’s KEV update requires federal civilian executive branch agencies to remediate the SharePoint flaw by **2026-03-21** and the Zimbra flaw by **2026-04-01**, or follow applicable mitigation guidance under **BOD 22-01**. The GitHub KEV data commit confirms both additions and records the required actions as applying vendor mitigations, following cloud-service guidance where relevant, or discontinuing use if mitigations are unavailable. The reporting also notes that, while the KEV catalog is binding on federal agencies, private organizations should review the catalog and prioritize these vulnerabilities because CISA has identified them as actively exploited.
1 months ago
CISA KEV Adds Exploited Flaws in Microsoft Excel, SharePoint, and Apache ActiveMQ
CISA updated its Known Exploited Vulnerabilities catalog to add three newly listed flaws affecting **Microsoft Office Excel**, **Microsoft SharePoint Server**, and **Apache ActiveMQ**. The additions increased the catalog total from 1,566 to 1,569 entries across two updates, with CISA identifying **`CVE-2009-0238`** as a remote code execution vulnerability in Excel, **`CVE-2026-32201`** as an improper input validation spoofing issue in SharePoint Server, and **`CVE-2026-34197`** as an improper input validation flaw in ActiveMQ that can enable code injection. CISA assigned federal remediation deadlines of **2026-04-28** for the Excel and SharePoint entries and **2026-04-30** for the ActiveMQ entry. The catalog records indicate that known ransomware use is **unknown** for all three vulnerabilities, while the ActiveMQ listing references both an Apache security advisory and the NVD entry, underscoring active exploitation concerns for widely deployed enterprise software and messaging infrastructure.
2 weeks ago
CISA Adds Actively Exploited Microsoft Zero-Days to KEV Catalog
CISA added **six Microsoft zero-day vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** after evidence of **active exploitation in the wild**, triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch agencies under **BOD 22-01** and prompting broader patch prioritization across enterprises. The vulnerabilities span multiple Microsoft components, including **MSHTML** and **Microsoft Word**, and are positioned as high-risk initial access and post-exploitation enablers commonly leveraged in phishing-driven intrusion chains and follow-on activity such as lateral movement and ransomware operations. Microsoft’s Security Update Guide entries provide technical details for several of the KEV-listed issues, including **CVE-2026-21513** (*MSHTML Framework Security Feature Bypass*, CVSS 8.8, `AV:N/AC:L/PR:N/UI:R`) and **CVE-2026-21514** (*Microsoft Word Security Feature Bypass*, CVSS 7.8, `AV:L/AC:L/PR:N/UI:R`), both consistent with document/web-content delivery scenarios. Separately, Microsoft also patched **CVE-2026-21525** (*Windows Remote Access Connection Manager / RasMan Denial of Service*, CVSS 6.2, `AV:L/AC:L/PR:N/UI:N`), described as a **NULL pointer dereference** that can be triggered by a local, unauthenticated attacker to crash RasMan and disrupt remote connectivity; reporting indicates exploitation was detected prior to disclosure and fixes were shipped via Patch Tuesday updates for multiple Windows and Windows Server versions.
1 months ago