A critical Remote Code Execution vulnerability in SharePoint Server is being actively exploited by attackers. The patch has been available since January but many organisations have not yet installed it. CISA has added the vulnerability to its known exploited vulnerabilities list. Check your systems now.
CISA, the US cybersecurity agency, has added CVE-2026-20963 to its Known Exploited Vulnerabilities catalogue. That means attackers are actively exploiting this vulnerability in SharePoint Server in the wild. The patch has been available since 13 January 2026, but for two months it went unnoticed in patch notes for many organisations. Now that exploitation has been confirmed, there is no time to lose.
CVE-2026-20963 is a Remote Code Execution vulnerability caused by deserialization of untrusted data in SharePoint Server. Deserialization attacks are particularly dangerous because they allow an attacker to execute arbitrary code on the server without any user interaction required. The attack complexity is low, making this an attractive target for automated attacks.
The vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016. SharePoint Online (via Microsoft 365) is not vulnerable. Only organisations running SharePoint on-premises are at risk.
Microsoft released the patch as part of Patch Tuesday on 13 January 2026. The relevant Knowledge Base articles are KB5002822 for SharePoint Server Subscription Edition and the corresponding updates for SharePoint 2019 and 2016. If your monthly patch cycles are up to date, you are protected. If not, install the cumulative update for your SharePoint version today.
Check which version of SharePoint Server you are running and whether the January 2026 patch has been installed. Install KB5002822 and the corresponding cumulative update if not. Review event logs on the SharePoint server for suspicious activity, particularly unknown processes being launched by the IIS worker or SharePoint service account. Consider whether a migration to SharePoint Online fits your roadmap to structurally eliminate this type of risk.
Need help patching your SharePoint environment or want to know whether your Microsoft 365 configuration is secure? Contact Zarioh for a quick check.
