Multiple critical vulns active
CISA warns active attacks are exploiting the SharePoint RCE CVE‑2026‑20963; a separate critical telnetd flaw (CVE‑2026‑32746) allows unauthenticated root RCE on port 23; and an information‑disclosure bug was reported in M365 Copilot — all highlighting mixed risk across legacy protocols and AI tooling. Unpatched or legacy services remain immediate risk points. (securityweek.com)(thehackernews.com)(teamwin.in)
CISA added CVE‑2026‑20963 to its Known Exploited Vulnerabilities catalog on March 18, 2026 and ordered Federal Civilian Executive Branch agencies to remediate the SharePoint issue by March 21, 2026. (securityweek.com) Microsoft issued the initial Patch Tuesday fixes for the SharePoint deserialization bug on January 13, 2026 and published the January security update entries for affected SharePoint Server builds. (support.microsoft.com) Vendor and public records classify CVE‑2026‑20963 as an unsafe‑deserialization remote code execution flaw that impacts SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. (nvd.nist.gov) Israeli researcher group Dream disclosed CVE‑2026‑32746 on March 11, 2026 (advisory published March 13), identifying an out‑of‑bounds write in the telnetd LINEMODE SLC handler in GNU Inetutils through version 2.7 that can produce pre‑authentication root RCE (reported CVSS 9.8). (dreamgroup.com) Dream recommended immediate service disablement and network‑level blocking of TCP/23 and projected a fix no later than April 1, 2026; distribution trackers such as Debian show fixes being staged while some releases remain marked vulnerable. (dreamgroup.com) Industry scans referenced by researchers put roughly 1,000,000 devices listening on port 23 on the public internet, amplifying how a pre‑auth telnet daemon bug like CVE‑2026‑32746 can reach embedded, OT, and legacy infrastructure at scale. (safebreach.com) India’s CERT‑IN published vulnerability note CIVN‑2026‑0146 on March 18, 2026 classifying an M365 Copilot information‑disclosure issue as HIGH and listing affected components (Word, Excel, PowerPoint, Teams, Outlook, OneNote, PowerBI, Loop and Copilot mobile clients), while Microsoft tracks the underlying report as CVE‑2026‑26133 (published Mar 12, 2026) and describes it as an AI command‑injection/cross‑prompt injection that requires user interaction and carries a Microsoft base CVSS 3.1 score of 7.1. (cert-in.org.in) CERT‑IN and Microsoft’s MSRC update‑guide both point to Microsoft’s CVE page for remediation details, Dream’s advisory and distribution security‑tracker entries list telnet mitigations and patch timelines, and those vendor pages are the primary sources for follow‑up and fixes. (cert-in.org.in)
