SharePoint vuln added

CISA added CVE‑2026‑20963 to the KEV catalog on March 18, 2026 and set a remediation window for federal civilian agencies that requires fixes by March 21, 2026. (securityweek.com) Microsoft shipped the fix in its January 13, 2026 Patch Tuesday updates and lists the SharePoint security updates (including KB mappings for Subscription Edition and on‑prem SKUs) in its January security update guidance. (support.microsoft.com) The NVD records CVE‑2026‑20963 as a deserialization RCE with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N) and identifies affected products as SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. (nvd.nist.gov) CISA’s KEV entry reflects confirmed evidence of exploitation in the wild, while Microsoft updated its advisory around March 17, 2026 without explicitly stating active exploitation in the vendor advisory; independent reporting has described observed attacks against unpatched servers. (securityweek.com) Microsoft’s fixes are packaged as January 2026 cumulative updates (admins should apply the full CU rather than piecemeal fixes), and SharePoint Subscription Edition systems should be updated to build 16.0.19127.20442 or later per vendor build mappings. (blog.stefan-gossner.com) Inclusion in the KEV catalog triggers BOD 22‑01 obligations for FCEB agencies to remediate within CISA’s timelines and to track remediation in agency tracking artifacts such as POA&Ms (FedRAMP updated POA&M guidance to accommodate KEV tracking for cloud service providers). (cisa.gov)