The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially reached the remediation deadline for CVE-2026-20963. While the mandate technically applies to U.S. Federal Civilian Executive Branch (FCEB) agencies, the "Known Exploited" status makes this an global emergency for any enterprise still running local SharePoint instances.

1. The Flaw: Why "Zero-Click" Matters

Tracked as a deserialization of untrusted data vulnerability, this exploit is a nightmare for network defenders because of its low complexity.

  • The Vulnerability: An unauthenticated attacker can send a specially crafted network packet to a vulnerable SharePoint server.
  • The Impact: This triggers remote code execution (RCE) with the same privileges as the SharePoint service account.
  • Zero User Interaction: Unlike phishing, no one needs to click a link or open a file. If the server is visible to the internet (or an attacker who has already breached the local network), it can be compromised instantly.

2. Target Range: Who is at Risk?

Microsoft originally patched this in January 2026, but the transition of this bug from "theoretical" to "actively exploited" has caught many off guard. The following versions are affected:

  • SharePoint Server Subscription Edition (Fixed in KB5002843)
  • SharePoint Server 2019 (Fixed in KB5002845)
  • SharePoint Enterprise Server 2016 (Fixed in KB5002841)
  • Legacy Systems: While 2007, 2010, and 2013 versions are also vulnerable, they are end-of-support and will not receive a patch. CISA recommends discontinuing these products immediately.

3. The "Salt Typhoon" Connection?

While the specific threat actors behind current campaigns are being tracked as "unidentified" in public reports, researchers have noted that state-sponsored groups like Salt Typhoon have historically favored SharePoint RCEs (like last year's ToolShell exploit) to compromise government and energy sector targets. The speed of the CISA order suggests that a high-profile, non-public incident may have triggered the urgency.


Hacklido Technical Takeaway: Post-Patch Verification

If you are just now applying the March 10 Cumulative Update (CU) to meet the deadline, remember that Step 2 is as important as Step 1.

  1. Run PSConfig: Installing the KB is not enough. You must run the SharePoint Products Configuration Wizard immediately after installation to ensure the schema upgrades are applied. Without this, the vulnerability may remain "open" despite the software appearing updated.
  2. Audit Service Accounts: Because this exploit gives attackers the privileges of the SharePoint service, now is the time to verify that your service accounts are following the "Principle of Least Privilege." They should never have local admin or domain admin rights.

Check for Persistence: If your server was unpatched between January and today, perform a scan for unauthorized .aspx files in the /_layouts/ directory or new, unrecognized service accounts.