Unknown attackers exploit yet another critical SharePoint bug

Last time: Beijing-backed snoops and ransomware crims. Who's next?

Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims' SharePoint servers, the US government warned.

CVE-2026-20963 is a critical deserialization flaw in SharePoint that allows unauthenticated attackers to remotely execute code on the server without any user interaction, and Redmond fixed the issue as part of its January Patch Tuesday. At the time, the vulnerability was neither publicly known nor exploited, according to Microsoft, which deemed exploitation "less likely."

Fast forward to Wednesday when the US Cybersecurity and Infrastructure Agency added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, gave federal agencies just three days to issue a patch, and said it's unknown if ransomware criminals are among those exploiting the SharePoint bug.

At the time of publication, Microsoft had not updated the security advisory to indicate that CVE-2026-20963 is under active exploitation. Microsoft did not immediately respond to The Register's inquiries about the vulnerability, including who is abusing this CVE and for what purposes.

The Reg readers likely remember the SharePoint mass-exploitation over the summer and into fall. 

Back in July, Microsoft patched the so-called ToolShell vulnerability (CVE-2025-53770), a critical remote code execution bug in on-premises SharePoint servers. Before it was fixed, however, Chinese attackers found and exploited the bug as a zero-day, compromising more than 400 organizations, including the US Energy Department.

At the time, Microsoft attributed the break-ins to three China-based groups: two government-backed groups that steal sensitive IP and spy on former government and military personnel, plus a third criminal org that exploited the bug to infect victims with Warlock ransomware.

In October, we learned that other Beijing crews – including Salt Typhoon – also joined in the attacks. ®