CISA Confirms Active Exploitation of SharePoint Zero-Day
The Cybersecurity and Infrastructure Security Agency issued an urgent warning on March 19, 2026, confirming that attackers are actively exploiting a critical Microsoft SharePoint vulnerability that was patched in January's Patch Tuesday release. The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, signaling that threat actors have moved beyond proof-of-concept attacks to real-world exploitation campaigns targeting enterprise environments.
The vulnerability, which affects multiple versions of SharePoint Server, allows remote attackers to execute arbitrary code on vulnerable systems without authentication. Microsoft originally classified the flaw as critical with a CVSS score of 9.8, indicating maximum severity due to its network-accessible attack vector and the potential for complete system compromise. Security researchers who discovered the vulnerability during routine penetration testing reported it to Microsoft through coordinated disclosure protocols in late 2025.
CISA's decision to add this SharePoint flaw to the KEV catalog represents a significant escalation in threat assessment. The agency only includes vulnerabilities in this catalog when they have confirmed evidence of active exploitation by threat actors in real-world attacks. This designation triggers mandatory patching requirements for federal civilian executive branch agencies, which must now remediate the vulnerability within 21 days of the catalog addition. The timing suggests that multiple exploitation attempts have been detected across government and private sector networks since the January patch release.
According to the CISA advisory, the vulnerability stems from improper input validation in SharePoint's web application framework, allowing attackers to inject malicious code through specially crafted HTTP requests. The exploitation process requires no user interaction and can be executed remotely over the network, making it particularly attractive to cybercriminals and nation-state actors seeking to establish persistent access to corporate environments. Initial attack vectors observed by security researchers include automated scanning campaigns targeting internet-facing SharePoint installations and targeted spear-phishing campaigns designed to identify vulnerable internal systems.
Related: CISA Orders Federal Agencies to Patch Zimbra Zero-Day
Related: CISA Warns of Actively Exploited Wing FTP Server Flaw
SharePoint Deployments Across Enterprise Networks at Risk
The vulnerability impacts a broad range of Microsoft SharePoint Server deployments, including SharePoint Server 2019, SharePoint Server 2016, and SharePoint Server Subscription Edition. Organizations running these versions without the January 2026 security updates remain vulnerable to remote code execution attacks. Microsoft's security bulletin indicates that both on-premises SharePoint installations and hybrid cloud configurations are affected, though SharePoint Online customers using Microsoft's fully managed service are protected by automatic updates.
Enterprise environments face the highest risk due to SharePoint's widespread adoption as a collaboration platform and document management system. Organizations in government, healthcare, financial services, and manufacturing sectors commonly deploy SharePoint for sensitive data storage and workflow management, making successful exploitation particularly damaging. The vulnerability's network-accessible nature means that internet-facing SharePoint portals are especially vulnerable to automated attack campaigns, while internal SharePoint farms remain at risk from attackers who have already gained network access through other means.
Federal agencies represent a priority target for this exploitation campaign, given SharePoint's extensive use across government departments for document collaboration and information sharing. CISA's mandatory patching directive affects hundreds of federal civilian agencies that rely on SharePoint for mission-critical operations. Private sector organizations, while not subject to the same regulatory requirements, face similar risks and should prioritize patching efforts to prevent potential data breaches, ransomware deployment, or advanced persistent threat establishment.
Immediate Patching and Mitigation Steps for SharePoint Administrators
Microsoft released comprehensive security updates to address this vulnerability as part of the January 2026 Patch Tuesday cycle. SharePoint administrators must immediately apply security update KB5002474 for SharePoint Server 2019, KB5002475 for SharePoint Server 2016, and KB5002476 for SharePoint Server Subscription Edition. The updates are available through Microsoft Update Catalog and Windows Server Update Services (WSUS) for automated deployment across enterprise environments. Organizations should prioritize patching internet-facing SharePoint servers first, followed by internal farm servers based on criticality and data sensitivity.
For organizations unable to immediately apply patches, Microsoft recommends implementing network-level protections to reduce attack surface exposure. Web application firewalls configured with rules to block suspicious HTTP requests can provide temporary mitigation, though this approach should not replace proper patching. Network segmentation strategies that isolate SharePoint servers from direct internet access and implement strict access controls can limit potential exploitation vectors. Additionally, administrators should enable comprehensive logging on SharePoint servers and monitor for unusual authentication attempts, unexpected process execution, and abnormal network traffic patterns that might indicate compromise attempts.
The CISA Known Exploited Vulnerabilities catalog provides detailed guidance for federal agencies on compliance requirements and recommended remediation timelines. Private sector organizations should follow similar protocols, conducting immediate vulnerability scans to identify affected SharePoint installations and prioritizing patches based on system criticality and exposure level. Security teams should also review SharePoint access logs from the past 60 days to identify potential compromise indicators and implement additional monitoring for post-exploitation activities such as lateral movement, privilege escalation, and data exfiltration attempts.
