2026-004: Critical Vulnerability in SharePoint Exploited
On 17 March 2026, Microsoft updated one of its January 2026 security advisories related to a remote code execution vulnerability in Microsoft SharePoint. Specifically, Microsoft raised the CVSS score and changed the FAQ section to indicate that the vulnerability could be exploited by an unauthenticated attacker. This vulnerability was added in the CISA's Known Exploited Vulnerabilities (KEV) catalogue on 18 March 2026. Additionally, three further RCE flaws affecting Microsoft SharePoint were addressed in the March 2026 release. CERT-EU strongly recommends updating SharePoint servers as soon as possible, prioritising internet-facing assets. CERT-EU also encourages IT administrators to take necessary remediation actions.
CSIRTS triage
- What
- A remote code execution vulnerability can be exploited by unauthenticated attackers.
- Who is affected
- Deployments of Microsoft SharePoint are affected, especially internet-facing assets.
- Urgency
- Remediation is critical due to the high CVSS score and active exploitation.
- Action
- Update SharePoint servers as soon as possible.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch SharePoint
Get an email when a new SharePoint advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cert.europa.eu/publications/security-advisories/2026-004/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Elevated exploitation riskCVE-2026-2096331.1% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 98% of all scored CVEs.
- Moderate exploitation riskCVE-2026-261061.4% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 69% of all scored CVEs.
- Low exploitation riskCVE-2026-261130.54% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
- Moderate exploitation riskCVE-2026-261142.4% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 82% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-20963 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-26106 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-26113 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-26114 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedCVE-2026-20963: Microsoft SharePoint Deserialization of Untrusted Data Vulnerabilitycisa-kev
Recent advisories for 2026-004
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalexploitedDrupal core - Highly critical - SQL injection - SA-CORE-2026-004drupal · 2026-05-20
More from CERT-EU Security Advisories
- critical2026-008: Critical vulnerabilities in Ivanti Sentry2026-06-10
- critical2026-007: Critical Vulnerability in Windows Netlogon2026-06-10
- critical2026-006: Critical Vulnerability in PAN-OS2026-05-06
- high2026-005: High Vulnerability in the Linux Kernel ("Copy Fail")2026-04-30
- unknown2026-003: Multiple Vulnerabilities in Citrix NetScaler and Citrix ADC2026-03-23