Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims’ SharePoint servers, the US government warned.
CVE-2026-20963 is a critical deserialization flaw in SharePoint that allows unauthenticated attackers to remotely execute code on the server without any user interaction, and Redmond fixed the issue as part of its January Patch Tuesday. At the time, the vulnerability was neither publicly known nor exploited, according to Microsoft, which deemed exploitation “less likely.” Fast forward to Wednesday when the US Cybersecurity and Infrastructure Agency added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, gave federal agencies just three days to issue a patch..
Read more…
Source: The Register News
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
March 3, 2026
Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical ...
- Microsoft OAuth scams abuse redirects for malware delivery
March 3, 2026
Microsoft has warned organizations about ongoing OAuth abuse scams that use phishing emails and URL redirects to infect victims’ machines with malware and take over their devices. The phishing expedition targets government and public-sector organizations, according to a Monday report from Redmond’s security researchers. And while Microsoft Entra disabled the malicious OAuth applications, Microsoft’s infosec squad ...
- Hacktivists may have just cracked open ICE and exposed over 6,000 companies working with the DHS
March 3, 2026
A hacktivist group has claimed to have broken into systems belonging to the US Department of Homeland Security (DHS) and exposed sensitive files online. The group, with the self-awarded name “The Department of Peace”, stole data from the Office of Industry Partnership that contained contracts between DHS, Immigration and Customs Enforcement (ICE), and over 6,000 private ...
- Hacked traffic cams and hijacked TVs: How cyber operations supported the war against Iran
March 3, 2026
On Saturday, U.S. and Israeli jets began a bombing campaign against Iran, killing its supreme leader Ali Khamenei and several senior government officials. The attacks also hit military and civilian targets all across the country, including a girls’ school, where at least 168 children and adults were killed. After a few days of conflict, multiple reports, ...
- Chrome flaw let extensions hijack Gemini’s camera, mic, and file access
March 3, 2026
Chrome’s Gemini “Live in Chrome” panel (Gemini’s embedded, agent-style assistant mode within Chrome) had a high‑severity vulnerability tracked as CVE‑2026‑0628. The flaw let a low‑privilege extension inject code into the Gemini side panel and inherit its powerful capabilities, including local file access, screenshots, and camera/microphone control. The vulnerability was patched in a January update. But the ...
- Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild
March 3, 2026
Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. While these integrations can expand functionality, they also introduce a new and largely underexplored attack surface. One particularly concerning class of threats is indirect prompt injection (IDPI), in which adversaries embed hidden or manipulated instructions within ...