Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims' SharePoint servers, the US government warned.

[1]CVE-2026-20963 is a critical deserialization flaw in SharePoint that allows unauthenticated attackers to remotely execute code on the server without any user interaction, and Redmond fixed the issue as part of its [2]January Patch Tuesday . At the time, the vulnerability was neither publicly known nor exploited, according to Microsoft, which deemed exploitation "less likely."

Fast forward to Wednesday when the US Cybersecurity and Infrastructure Agency [3]added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, gave federal agencies just three days to issue a patch, and said it's unknown if ransomware criminals are among those exploiting the SharePoint bug.

[4]

At the time of publication, Microsoft had not updated the security advisory to indicate that CVE-2026-20963 is under active exploitation. Microsoft did not immediately respond to The Register's inquiries about the vulnerability, including who is abusing this CVE and for what purposes.

[5]

The Reg readers likely remember the SharePoint mass-exploitation over the summer and into fall.

[6]Salt Typhoon hit governments on three continents with SharePoint attacks

[7]Another massive security snafu hits Microsoft, but don't expect it to stick

[8]Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks

[9]Ransomware crims that exploited SharePoint 0-days add Velociraptor to their arsenal

Back in July, Microsoft [10]patched the so-called ToolShell vulnerability ( [11]CVE-2025-53770 ), a critical remote code execution bug in on-premises SharePoint servers. Before it was fixed, however, Chinese attackers found and [12]exploited the bug as a zero-day , compromising [13]more than 400 organizations , including the US Energy Department.

At the time, Microsoft attributed the break-ins to three China-based groups: [14]two government-backed groups that steal sensitive IP and spy on former government and military personnel, plus a third criminal org that exploited the bug to infect victims with [15]Warlock ransomware .

In October, we learned that other Beijing crews – including [16]Salt Typhoon – also joined in the attacks. ®

Get our [17]Tech Resources



[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

[2] https://www.theregister.com/2026/01/14/patch_tuesday_january_2026/

[3] https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abyAEmNGkE7gcy87yKFJPQAAAYk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abyAEmNGkE7gcy87yKFJPQAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2025/10/22/salt_typhoon_sharepoint_attacks/

[7] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/

[8] https://www.theregister.com/2025/07/23/microsoft_sharepoint_400_orgs/

[9] https://www.theregister.com/2025/10/10/ransomware_velociraptor/

[10] https://www.theregister.com/2025/07/21/infosec_in_brief/

[11] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

[12] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/

[13] https://www.theregister.com/2025/07/23/microsoft_sharepoint_400_orgs/

[14] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/

[15] https://www.theregister.com/2025/10/10/ransomware_velociraptor/

[16] https://www.theregister.com/2025/08/28/fbi_cyber_cop_salt_typhoon/

[17] https://whitepapers.theregister.com/