🚨 CRITICAL ALERT: Active Zero-Day Exploits Targeting Enterprise Infrastructure

THREAT LEVEL: CRITICAL — Two severe vulnerabilities with CVSS scores of 8.8 and 9.8 are under active exploitation. Immediate patching is mandatory for organizations running affected systems. CISA has confirmed active abuse of CVE-2026-20963 in the wild, with evidence of exploitation dating back to mid-March 2026.

Critical Vulnerabilities (CVSS ≥ 8.0)

• CVE-2026-20963 (CVSS: 9.8) — Microsoft SharePoint Deserialization RCE: Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute arbitrary code over a network. Attackers with low-privileged authenticated access can craft malicious serialized payloads leveraging .NET gadget chains to achieve remote code execution within the SharePoint worker process. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026, confirming active exploitation. Affected versions include SharePoint Server Subscription Edition prior to 16.0.19127.20442, SharePoint Enterprise Server 2016 prior to 16.0.10417.20083, and SharePoint Server 2019 prior to 16.0.5535.1001. View NVD | CISA KEV
• CVE-2026-5281 (CVSS: 8.8) — Google Chrome Use-After-Free in Dawn: Use-after-free vulnerability in Dawn component in Google Chrome prior to version 146.0.7680.178 allows a remote attacker who has compromised the renderer process to execute arbitrary code via a crafted HTML page. Chromium security severity classified as High. View NVD

⚡ Immediate Actions Required

For SharePoint Administrators (CVE-2026-20963): This is a network-based attack requiring only authenticated access. No user interaction needed beyond an active session. Apply Microsoft’s January 13, 2026 security update immediately to all affected SharePoint Server instances. Monitor for suspicious serialized object submissions to SharePoint endpoints. Restrict low-privilege account permissions where possible. Consider network segmentation to limit lateral movement if compromise occurs.

For Chrome Users and Administrators (CVE-2026-5281): Update Google Chrome to version 146.0.7680.178 or later immediately. This vulnerability requires renderer process compromise, suggesting multi-stage attacks. Enforce automatic updates and restrict user ability to defer security patches.

Enterprise-Wide Response: Activate your incident response plan. Audit network logs for unusual SharePoint access patterns since March 18, 2026. Implement threat detection for gadget chain payloads and unusual deserialization operations. Conduct forensic analysis on critical SharePoint servers for signs of exploitation.

Risk Assessment

CVE-2026-20963 poses severe organizational risk due to its ability to compromise the SharePoint service account context, potentially enabling data exfiltration, lateral movement across enterprise networks, and persistent system compromise. The low barrier to entry (basic authenticated access) combined with active exploitation makes this an urgent remediation priority. Organizations should treat this as a critical infrastructure threat requiring executive escalation and resource allocation equivalent to incident response activities.