INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Critical SharePoint Vulnerability Exploited
| 2026-03-19 18:54 CRITICAL HIGHExecutive Summary AI-generated
The US government has warned of a critical Microsoft SharePoint bug that could compromise victims' servers, with the latest incident dating back to March 19. The vulnerability, CVE-2026-20963, allows unauthenticated attackers to remotely execute code on the server without user interaction, and Microsoft fixed it as part of its January Patch Tuesday. However, Chinese attackers exploited the bug before it was patched, compromising over 400 organizations including the US Energy Department. This incident highlights the ongoing threat posed by zero-day vulnerabilities like CVE-2026-20963, which can be exploited by APT groups such as Salt Typhoon and FCEB agencies.
Technical Mitigations AI-generated
* Upgrade to a supported version: Admins should upgrade end-of-support SharePoint Server versions (e.g. SharePoint Server 2007, SharePoint Server 2010) to a supported version to block attacks.
* Implement patching and monitoring: Implement patches for vulnerable SharePoint servers as soon as possible, and regularly monitor systems for signs of exploitation or compromise.
* Use secure coding practices: Ensure that developers follow secure coding practices when writing code in SharePoint, such as validating user input and using secure authentication mechanisms.
* Configure firewall rules and intrusion detection/prevention systems (IDPS): Configure firewall rules and IDPS to block incoming traffic on vulnerable ports, and enable monitoring for suspicious activity.
* Implement access controls and segregation of duties: Ensure that users have the necessary permissions and access controls in place to prevent unauthorized access or exploitation of vulnerabilities.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Salt TyphoonSalt Typhoon
CVE-2026-20963CVE-2026-20963
CVE-2025-53770CVE-2025-53770
CVE-2025-40551CVE-2025-40551
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
energyenergy
governmentgovernment
Incident Timeline
January 2026
Threat actors exploited a known vulnerability in the T1584.004 Server component of Microsoft SharePoint, allowing them to inject and execute arbitrary code remotely.
Click on any entity below to view its context and source!
organisation
Microsoft
"In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft said when it patched the vulnerability as part of its
January 2026 Patch Tuesday
.
tactic
T1584.004 - Server
"In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft said when it patched the vulnerability as part of its
January 2026 Patch Tuesday
.
2026-03-19
Unknown attackers exploit yet another critical Microsoft SharePoint bug.
Click on any entity below to view its context and source!
organisation
CVE-2026-20963
CVE-2026-20963
is a critical deserialization flaw in SharePoint that allows unauthenticated attackers to remotely execute code on the server without any user interaction, and Redmond fixed the issue as part of its
January Patch Tuesday
.
organisation
SharePoint Enterprise
Tracked as
CVE-2026-20963
, this security flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
organisation
the US Energy Department
Before it was fixed, however, Chinese attackers found and
exploited the bug as a zero-day
, compromising
more than 400 organizations
, including the US Energy Department.
victims
400 organizations
Before it was fixed, however, Chinese attackers found and
exploited the bug as a zero-day
, compromising
more than 400 organizations
, including the US Energy Department.
organisation
SharePoint
Unknown attackers exploit yet another critical SharePoint bug.
Admins are advised to upgrade end-of-support SharePoint Server versions to a supported version to block attacks.
organisation
Microsoft
At the time, the vulnerability was neither publicly known nor exploited, according to Microsoft, which deemed exploitation "less likely.
organisation
Register
Microsoft did not immediately respond to
The Register's
inquiries about the vulnerability, including who is abusing this CVE and for what purposes.
organisation
CVE
Microsoft did not immediately respond to
The Register's
inquiries about the vulnerability, including who is abusing this CVE and for what purposes.
threat_actor
Salt Typhoon
In October, we learned that other Beijing crews – including
Salt Typhoon
– also joined in the attacks.
organisation
Critical Microsoft SharePoint
Critical Microsoft SharePoint flaw now exploited in attacks.
organisation
BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Saturday, March 21
Threat actors exploited a critical SharePoint bug and added it to the US government's catalog of actively exploited vulnerabilities.
Click on any entity below to view its context and source!
attribution
FCEB
However, CISA
added
the security flaw to its
catalog of actively exploited vulnerabilities
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by Saturday, March 21.
attribution
Federal Civilian Executive Branch
However, CISA
added
the security flaw to its
catalog of actively exploited vulnerabilities
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by Saturday, March 21.
Tactical Metrics
Metrics
victims
400
Organizations
Click for context!
Before it was fixed, however, Chinese attackers found and
exploited the bug as a zero-day
, compromising
more than 400 organizations
, including the US Energy Department.
Intelligence Sources
The Register - Cybercrime
2026-03-19
Unknown attackers exploit yet another critical SharePoint bug
The Register - Cybercrime
BleepingComputer
2026-03-19
Critical Microsoft SharePoint flaw now exploited in attacks
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:15
Comprehensive Tactical Telemetry
Highly Correlated Entities
16x
attribution
Attributing Entity
Microsoft SharePoint
authority
10x
organisation
Identified Entity
the US Energy Department
entity
8x
timeline
Temporal Reference
2016
date
3x
vulnerability
Exploited CVE
CVE-2026-20963
cve
3x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
source region
Origin Country
United States
country
2x
industry
Targeted Sector
Government
sector
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
target region
Target Country
United States
country
Contextual Telemetry
Context Block
5 METRICS
victims
Organizations
400
organizations
threat actor
APT Group
Salt Typhoon
actor
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
general metric
Top Techniques
10
top techniques
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.