A critical vulnerability in Microsoft SharePoint Server is being actively exploited, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch their systems immediately.
The flaw, tracked as CVE-2026-20963, was recently added to CISA’s Know Exploited Vulnerabilities catalog. It is a critical remote code execution (RCE) vulnerability tied to deserialization of untrusted data in on-premises SharePoint server.
What The Vulnerability Does
Successful exploitation of CVE-2026-20963 will allow threat actors without any privileges to achieve remote code execution on unpatched servers through a deserialization of untrusted data weakness.
In a network-based attack, an unauthenticated attacker can write and execute arbitrary code directly on the SharePoint Server. This means an attacker does not need a username, password, or any prior access to the system to cause serious damage.
The flaw also works because SharePoint does not properly validate certain incoming data, which allows a remote attacker to inject and run arbitrary code on the server. Once that happens, an attacker can deploy malware, steal sensitive documents, establish persistent access, or even move deeper into the network through connected systems.
The vulnerability is said to affect SharePoint Enterprises Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
SharePoint Server 2007, 2010, and 2013 are also vulnerable but have reached end-of-support and no longer receive security updates, meaning organizations still running those versions need to upgrade to a supported release to block attacks.
Why This Matters
This is a serious event because Microsoft SharePoint often sits at the center of corporate document sharing, internal workflows, and sensitive files. If attackers were to gain access, they can move from a single server to a wider part of the organization’s data and identity systems, which is why organizations are being told to treat the issue as urgent.
CISA’s alert recommends that organizations assess whether their internet-facing SharePoint server may be compromised and isolate the system until patching and threat hunting are complete.
This alert shows how quickly a server-side flaw can become a broad security incident when attackers find a way around an earlier fix.
AI Is Changing Both Sides of the Cybersecurity Fight
Artificial intelligence (AI) is now a factor in how these vulnerabilities get found, exploited, and defended against, and its influence is growing on both sides of the equation.
IBM’s 2026 X-Force Threat Intelligence Index found a 44% increase in attacks that began with the exploitation of public-facing applications, driven in part by AI-enabled vulnerability discovery. The report also noted that attackers are using AI to speed up reconnaissance, analyze large datasets, and iterate on attack paths in real time.
Google’s Threat Intelligence, through its Look What You Made Us Patch: 2025 Zero-Days in Review, has stated that it expects AI to fasten the process of reconnaissance, vulnerability discovery, and exploit development through 2026. This 2025 review tracked 90 zero-day vulnerabilities exploited in the wild, with 43 of those affecting enterprise products. The Microoft SharePoint flaw falls squarely into that enterprise category.
On the defensive side, AI is also beginning to close some of the gap, although adoption remains slow. Many reports indicate that organizations that have adopted AI-assisted vulnerability management have reduced their remediation time to cyberattacks, otherwise or often measured as Mean Time to Remediate (MTTR).
However, for most organizations today, AI remains an outside tool to existing processes rather than a default for vulnerability patching, as teams evaluate it cautiously especially given the risks associated with automated remediation.
The net effect of this is a gap that continues to widen between well-resourced teams that are adopting AI-assisted defenses and organizations that are still running manual patch cycles against attackers who are not.
