Number: AL26-005
Date: March 20, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation of a vulnerability affecting Microsoft SharePoint Server. In response to the Microsoft security advisory, released on January 13, 2026Footnote 1, the Cyber Centre issued AV26-024Footnote 2 on January 13, 2026. The Advisory was updated on March 18, 2026 to include additional details.
Tracked as CVE-2026-20963Footnote 3, this vulnerability is a critical Deserialization of Untrusted Data (CWE-502)Footnote 4 vulnerability affecting multiple versions of Microsoft SharePoint Server and could allow an unauthenticated remote attacker to execute code over the network.
The Cyber Centre has observed exploitation of this vulnerability, and organizations are urged to take immediate action.
This vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalogFootnote 5 on March 18, 2026.
Suggested actions
The Cyber Centre recommends that organizations upgrade affected Microsoft SharePoint instances to a fixed version:
| Affected product | Affected versions | Fixed versions |
|---|---|---|
| Microsoft SharePoint Enterprise Server 2016 | 16.0.0 before 16.0.5535.1001 | 16.0.5535.1001 |
| Microsoft SharePoint Server 2019 | 16.0.0 before 16.0.10417.20083 | 16.0.10417.20083 |
| Microsoft SharePoint Server Subscription Edition | 16.0.0 before 16.0.19127.20442 | 16.0.19127.20442 |
Open-source reporting indicates that other legacy versions are affected by this vulnerability but are now considered end of support/life and should be decommissioned or upgraded.
The Cyber Centre recommends organizations to:
- Identify all on-premises SharePoint Server instances, particularly those exposed to the internet.
- Use or upgrade to supported versions of on-premises Microsoft SharePoint Server.
- Apply the latest security updates from Microsoft.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 6.
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.