That SharePoint RCE Is Being Exploited Right Now. Patch Today.

Stop reading this and go patch your SharePoint servers. Seriously. CVE-2026-20963 is a critical unauthenticated remote code execution vulnerability in Microsoft SharePoint Server, and attackers are actively exploiting it in the wild right now. Microsoft patched it in January. If you haven't applied that patch, you're running a server that anyone on the internet can take over.

I'll explain the technical details after you've started the update. Go. I'll wait.

What the Vulnerability Is

CVE-2026-20963 is a deserialization vulnerability in SharePoint's content management service. The flaw exists in how SharePoint processes certain API requests — specifically, crafted payloads sent to the content management endpoint can trigger unsafe deserialization of .NET objects, leading to arbitrary code execution as the SharePoint service account.

The critical word here is unauthenticated. The attacker doesn't need credentials. They don't need to be on your internal network (unless your SharePoint is properly firewalled, which — let's be honest — many aren't). They send a specially crafted HTTP request to your SharePoint server, and they have code execution.

http

POST /_api/web/contenttypes HTTP/1.1
Host: your-sharepoint-server.example.com
Content-Type: application/json;odata=verbose

{
  "__metadata": {
    "type": "SP.ContentType"
  },
  "SchemaXml": "<MALICIOUS_SERIALIZED_PAYLOAD>"
}

The actual exploit payload is more complex than this — I'm intentionally not providing a working proof of concept — but the attack surface is a standard SharePoint API endpoint. No special tooling required. Basic HTTP requests.

Why This Is Worse Than Usual

SharePoint vulnerabilities aren't new. Microsoft patches SharePoint security issues regularly. What makes CVE-2026-20963 particularly dangerous is the combination of three factors.

Factor 1: Unauthenticated. Most SharePoint vulns require at least a valid user session. This one doesn't. If your SharePoint server is reachable, it's vulnerable. Port 443, standard HTTPS. Nothing exotic. Factor 2: The service account. SharePoint typically runs as a domain service account with significant privileges. Code execution as that account often means access to file shares, databases, and potentially domain controller communications. This isn't just "I can deface a SharePoint page" — it's "I have a foothold in your Active Directory environment." Factor 3: Exploit code is public. As of mid-March, working exploit code is available in multiple offensive security frameworks. The barrier to exploitation is near zero for anyone with basic penetration testing skills. This has moved from "sophisticated threat actors" to "script kiddie territory."

The Exploitation Timeline

Here's how this played out:

text

January 14, 2026:  Microsoft releases patch (KB5002822)
January 15-30:     Researchers begin analyzing the diff
February 8:        First technical writeup published
February 22:       Proof of concept published on GitHub
March 5:           CISA adds to Known Exploited Vulnerabilities catalog
March 10-present:  Active exploitation observed by multiple threat intel firms
March 20:          Ransomware groups confirmed using this as initial access

Two months. That's how long it took from patch to widespread exploitation. If you have a change management process that takes longer than two months for critical security patches, your process is broken. Full stop.

How to Check If You're Vulnerable

If you're running SharePoint Server 2019 or SharePoint Server Subscription Edition and you haven't applied the January 2026 cumulative update, you're vulnerable. There's no workaround, no mitigation short of patching. Microsoft's advisory is clear: update or take the server offline.

To check your current patch level:

powershell

# Check SharePoint build number
Get-SPFarm | Select BuildVersion

# January 2026 patch versions (minimum safe versions):
# SharePoint Server Subscription Edition: 16.0.17928.20238
# SharePoint Server 2019: 16.0.10417.20027

# If your build number is lower, you are vulnerable

# Check from Central Admin (browser):
# Central Administration > Upgrade and Migration > Check product and patch installation status

If you can't patch immediately — and I mean within hours, not days — your interim options are limited. Taking the server offline is the safest choice. If that's not possible, restrict network access to the SharePoint server to only known internal IP ranges. This isn't a fix, but it reduces the attack surface from "the entire internet" to "your internal network."

What Attackers Are Doing With It

The threat intelligence reports are consistent. Attackers are using CVE-2026-20963 as initial access, then following a predictable playbook:

Exploit SharePoint to get code execution as the service account

Dump credentials from the SharePoint configuration database

Use those credentials to move laterally through the domain

Deploy ransomware or establish persistent access for data exfiltration

The time from initial exploitation to ransomware deployment is averaging 48-72 hours in observed incidents. That's your window. If your SharePoint server was compromised last week and you haven't noticed, the ransomware might already be staged.

The Bigger Problem

This vulnerability highlights a systemic issue in enterprise security: on-premises SharePoint is legacy infrastructure that many organizations are running but not actively maintaining. The teams that managed these servers may have been reorganized. The patching processes may have atrophied. The assumption is "it's behind the firewall, it's fine."

It's not fine. The firewall hasn't been a meaningful security boundary for a decade. VPN access, hybrid cloud configurations, and misconfigured reverse proxies mean that "internal" servers are routinely reachable from the internet.

If you're still running on-premises SharePoint, this is a wake-up call. Either commit to maintaining it — monthly patches, security monitoring, network segmentation — or migrate to SharePoint Online where Microsoft handles the patching. The worst option is the one many organizations have chosen: keep it running and hope for the best.

Action Items

I'll keep this blunt.

Today: Check your SharePoint build version. If it's below the January 2026 patch level, escalate to your highest priority incident response process. This week: Apply KB5002822. Test in staging if you must, but don't let testing be an excuse for delay. A broken SharePoint page is recoverable. A ransomware incident is not. This month: Review your patching SLAs for internet-facing and semi-internet-facing services. If critical patches take longer than 30 days to deploy, fix the process. This quarter: Audit whether on-premises SharePoint is still the right choice for your organization. The TCO of maintaining, patching, and securing on-prem SharePoint often exceeds the cost of SharePoint Online once you factor in security incidents.

Patch. Today. Not tomorrow.