Cyber-crime Unknown attackers exploit yet another critical SharePoint bug Last time: Beijing-backed snoops and ransomware crims. Who's next? Jessica Lyons Thu 19 Mar 2026 // 18:54 UTC Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims' SharePoint servers, the US government warned. CVE-2026-20963 is a critical deserialization flaw in SharePoint that allows unauthenticated attackers to remotely execute code on the server without any user interaction, and Redmond fixed the issue as part of its January Patch Tuesday . At the time, the vulnerability was neither publicly known nor exploited, according to Microsoft, which deemed exploitation "less likely." Fast forward to Wednesday when the US Cybersecurity and Infrastructure Agency added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, gave federal agencies just three days to issue a patch, and said it's unknown if ransomware criminals are among those exploiting the SharePoint bug. At the time of publication, Microsoft had not updated the security advisory to indicate that CVE-2026-20963 is under active exploitation. Microsoft did not immediately respond to The Register's inquiries about the vulnerability, including who is abusing this CVE and for what purposes. The Reg readers likely remember the SharePoint mass-exploitation over the summer and into fall. Salt Typhoon hit governments on three continents with SharePoint attacks Another massive security snafu hits Microsoft, but don't expect it to stick Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks Ransomware crims that exploited SharePoint 0-days add Velociraptor to their arsenal Back in July, Microsoft patched the so-called ToolShell vulnerability ( CVE-2025-53770 ), a critical remote code execution bug in on-premises SharePoint servers. Before it was fixed, however, Chinese attackers found and exploited the bug as a zero-day , compromising more than 400 organizations , including the US Energy Department. At the time, Microsoft attributed the break-ins to three China-based groups: two government-backed groups that steal sensitive IP and spy on former government and military personnel, plus a third criminal org that exploited the bug to infect victims with Warlock ransomware . In October, we learned that other Beijing crews – including Salt Typhoon – also joined in the attacks. ® Share More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft More like these × More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Federal government of the United States More about Share POST A COMMENT More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft More like these × More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Federal government of the United States TIP US OFF Send us news