CISA Warns Houston Businesses: Critical SharePoint Flaw Under Active Attack

CVE-2026-20963 is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server. Deserialization is the process by which software converts stored or transmitted data back into live, executable objects in application memory. When SharePoint fails to properly validate incoming data during this process, attackers can inject malicious instructions that the server treats as legitimate.

The practical result? An attacker sends a crafted data packet to a vulnerable SharePoint server over the network. When SharePoint attempts to process that data, it executes whatever code the attacker embedded. No login credentials needed. No user interaction required. The attacker just needs network access to the server.

Key technical details about the vulnerability:

• CVE ID: CVE-2026-20963
• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Deserialization of Untrusted Data (CWE-502)
• Attack Vector: Network-based, no authentication required
• Attack Complexity: Low
• User Interaction: None
• Disclosure Date: January 13, 2026 (Patch Tuesday)
• KEV Catalog Date: March 18, 2026
• Federal Remediation Deadline: March 21, 2026

Microsoft's own description is blunt: "An unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server." That's about as bad as it gets. This is not a privilege escalation flaw where an attacker needs some level of access first. This is front-door access with full code execution.

CISA hasn't published specific details about the ongoing exploitation campaigns, and the threat groups behind the attacks remain unidentified at this point. That's typical for fresh KEV additions - the priority is getting organizations to patch, not publishing an attacker playbook. What we know about the attack mechanics comes from Microsoft's advisory and the vulnerability's technical profile.

The exploitation chain likely follows a pattern we've seen repeatedly with SharePoint deserialization flaws:

• Initial Access: The attacker identifies an internet-facing or network-accessible SharePoint server and sends a crafted request containing malicious serialized data
• Code Execution: SharePoint's deserialization process triggers the embedded payload, executing arbitrary code on the server with the privileges of the SharePoint application process
• Persistence: Once code execution is achieved, attackers typically deploy web shells, backdoors, or other persistence mechanisms to maintain access
• Lateral Movement: From the compromised SharePoint server, attackers can move deeper into the corporate network - accessing Active Directory, file shares, email systems, and other critical infrastructure

This pattern isn't speculation. It's exactly what happened during the 2025 ToolShell campaign, where four chained SharePoint vulnerabilities were used to compromise over 400 organizations worldwide. Chinese state-affiliated groups including Storm-2603 were attributed to those attacks. Government agencies, healthcare systems, telecommunications providers, and enterprises across North America and Western Europe were hit.

The reason SharePoint keeps showing up in these campaigns is straightforward. SharePoint servers typically store sensitive corporate documents, internal communications, financial data, and operational information. They're often connected to Active Directory and other identity infrastructure. Compromising a SharePoint server doesn't just give you documents - it gives you a launching pad into the rest of the network.

CVE-2026-20963 affects all currently supported on-premises SharePoint Server versions. Microsoft released patches for these systems as part of the January 2026 Patch Tuesday updates. If you applied those updates in January, you're protected. If you didn't, you're exposed to confirmed active exploitation right now.

Affected supported versions:

• Microsoft SharePoint Server Subscription Edition - the current subscription-based on-premises offering
• Microsoft SharePoint Server 2019 - widely deployed in mid-sized businesses and enterprises
• Microsoft SharePoint Enterprise Server 2016 - still in extended support but nearing end-of-life

Affected end-of-life versions (no patches available):

• SharePoint Server 2013 - end of extended support reached April 2023
• SharePoint Server 2010 - end of extended support reached April 2021
• SharePoint Server 2007 - end of extended support reached October 2017

That last group is the scary one. If you're running SharePoint 2007, 2010, or 2013, there is no security patch for this vulnerability and there never will be. Microsoft has explicitly said these versions won't receive updates. The only option is upgrading to a supported version or migrating to SharePoint Online in Microsoft 365.

SharePoint Online in Microsoft 365 is not affected by this vulnerability. The flaw is specific to on-premises server deployments. That distinction matters, because it highlights one of the security advantages of moving collaboration workloads to cloud-hosted services where Microsoft handles patching directly.

The short answer: any organization running an unpatched on-premises SharePoint server that's accessible over the network. But "at risk" means different things for different organizations, and some Houston businesses face higher stakes than others.

Industries with the most to lose from a SharePoint compromise:

• Law firms: SharePoint often stores privileged client communications, case files, and confidential litigation documents. A breach could trigger mandatory bar association notifications and destroy client trust. Houston's legal community - from small practices in the Galleria to mid-sized firms downtown - frequently relies on on-premises SharePoint for document management
• CPA and wealth management firms: Financial records, tax returns, client portfolios, and audit workpapers make these firms high-value targets. FTC Safeguards Rule compliance adds regulatory exposure on top of the data breach itself
• Healthcare organizations: Patient records, HIPAA-protected data, and clinical documentation. The 2025 ToolShell campaign specifically targeted healthcare systems - and this vulnerability shares the same deserialization attack class
• Energy and oil & gas companies: Operational documents, proprietary geological data, and supply chain communications. Houston's energy sector was already a target during previous state-sponsored SharePoint campaigns
• Construction and engineering firms: Project bids, contract documents, and site plans stored in SharePoint could give competitors or threat actors a significant advantage

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

We see SharePoint deployments across nearly every industry vertical we serve - from law firms in Sugar Land to construction companies in Cypress to wealth management practices across West Houston. The pattern is consistent: businesses that haven't migrated to SharePoint Online are running exactly the software that's being actively attacked right now.

CISA's guidance is direct: apply vendor patches, implement mitigations, or stop using the product. There's no fourth option. Here's what that looks like in practice for Houston-area businesses.

Immediate actions (do these today):

• Apply the January 2026 security updates: Microsoft released patches for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 on January 13, 2026. If your server is on a supported version, the fix has been available for over two months. Apply it now
• Verify patch status: Don't assume patching happened automatically. Confirm the specific update was applied by checking the SharePoint build number against Microsoft's security advisory for CVE-2026-20963
• Review SharePoint server logs: Look for unusual authentication attempts, unexpected file uploads, anomalous administrative activity, or access to sensitive endpoints. Exploitation may have already occurred during the two-month window between patch release and KEV addition
• Restrict network access: If you can't patch immediately, limit network access to the SharePoint server to only trusted IP ranges. Block internet-facing access entirely if possible

If you're running end-of-life SharePoint versions:

• Upgrade to a supported version that can receive the security patch
• Migrate to SharePoint Online in Microsoft 365, which is not affected by this vulnerability and eliminates the patch management burden for SharePoint entirely
• Disconnect the server from the network if neither upgrade nor migration is immediately possible. CISA explicitly recommends discontinuing use of vulnerable products when no fix or mitigation exists

Longer-term measures:

• Evaluate cloud migration: Every on-premises SharePoint vulnerability reinforces the security case for moving to SharePoint Online, where Microsoft handles patching. This has been the trend since the ToolShell campaign forced hundreds of organizations through emergency response in 2025
• Implement network segmentation: Isolate SharePoint servers from other critical infrastructure so that a compromised server can't easily become a launching pad for lateral movement
• Deploy endpoint detection and response (EDR): Monitor for post-exploitation activity including web shell deployment, credential theft, and unusual process execution on SharePoint servers

Vulnerabilities like CVE-2026-20963 are exactly why patch management can't be an afterthought. A two-month gap between patch availability and active exploitation is actually generous by current standards - the ToolShell vulnerabilities were exploited within days of disclosure. Houston businesses with 10 to 200 employees typically don't have the internal resources to monitor every Microsoft Patch Tuesday release, assess which updates apply to their environment, test patches, and deploy them before attackers start scanning.

That's where CinchOps steps in. Here's what we do to keep our clients ahead of threats like this:

• Proactive Patch Management: We monitor every vendor security update, assess applicability to each client's environment, and deploy critical patches within defined SLA windows - not two months later
• Vulnerability Assessment and Scanning: Regular scans identify unpatched systems, misconfigurations, and exposed services before attackers find them
• 24/7 Security Monitoring: Continuous monitoring for indicators of compromise, including the post-exploitation behaviors associated with SharePoint attacks - web shells, credential harvesting, and lateral movement
• Cloud Migration Planning: We help businesses evaluate and execute migration from on-premises SharePoint to Microsoft 365, reducing the attack surface and eliminating the patch management burden for collaboration tools
• Incident Response: If exploitation has already occurred, we help contain the breach, assess the damage, and restore operations - drawing on experience with the exact attack patterns that SharePoint vulnerabilities enable
• Business Continuity Planning: Ensuring that even if a critical server is compromised, your business has the backup, failover, and recovery capabilities to keep operating

In 30+ years working in IT - including time at Cisco managing enterprise security infrastructure - the pattern I see most often is businesses waiting until after something breaks to ask about protection. CVE-2026-20963 is a clear signal that waiting is no longer an option. The attackers are already at work. Contact CinchOps to make sure your SharePoint environment - and the rest of your IT infrastructure - is protected.