Critical SharePoint Zero-Day Under Active Exploitation — Patch Before Friday

CISA confirmed on March 18 that CVE-2026-20963 is being actively exploited. The vulnerability is a deserialization flaw in Microsoft SharePoint that lets an attacker run arbitrary code on the server — no login required. US federal agencies got three days to patch. Three days. That tells you everything about how serious this is.

Who is affected?

Anyone running SharePoint Server on-premises or in a hybrid configuration.

If you are fully on SharePoint Online through Microsoft 365, Microsoft has already patched the cloud service. But many organizations still have hybrid components running — old SharePoint farms that "just handle the archive" or "will be migrated soon." Those are exactly the systems attackers look for.

What should you do?

Three things, in order of priority:

1. Check what you are running. Is it SharePoint Online only, or is there a SharePoint Server somewhere in your environment? This takes about an hour to verify.
2. Patch immediately. Install the latest cumulative update for SharePoint Server. This is the only complete fix.
3. Restrict access. If patching takes time, shut down external access to the SharePoint server until the update is in place.

Why this matters for SMBs on M365

Many of the businesses we work with have done most of their cloud migration — but not all of it. There is often a SharePoint server still running for legacy reasons, sometimes forgotten by IT. That kind of overlooked infrastructure is exactly what attackers target.

CVE-2026-20963 requires no credentials. An attacker only needs network access to the server. That makes it especially dangerous for organizations with services exposed to the internet.

How we can help

We offer a quick check (1–2 hours) where we verify your SharePoint setup and confirm whether you are exposed. If needed, we help with emergency patching or plan a migration to SharePoint Online.

Want us to check your environment? Get in touch — we can start today.