Microsoft warns SharePoint Server zero-day CVE-2026-32201 is under active attack

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Microsoft has confirmed active exploitation of CVE-2026-32201, a SharePoint Server spoofing vulnerability affecting on-premises SharePoint deployments. The flaw carries a CVSS 3.1 base score of 6.5, which puts it in the medium range, but the confirmed attacks make it a high-priority patching issue for affected organizations.

The vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Microsoft released security updates for all three products on April 14, 2026, and CISA added the bug to its Known Exploited Vulnerabilities catalog the same day.

BEST SPRING 2026 DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Microsoft describes the issue as an improper input validation flaw in Microsoft Office SharePoint that allows an unauthorized attacker to perform spoofing over a network. The company says successful exploitation could affect confidentiality and integrity, while availability impact remains unchanged.

Why this SharePoint bug matters now

This is not a case where defenders can wait for more details. Microsoft has already flagged the vulnerability as exploited in the wild, and CISA has given federal agencies until April 28, 2026, to apply mitigations or discontinue use if mitigations are unavailable.

That raises the urgency well above what the 6.5 score alone suggests. A network-exploitable SharePoint flaw with no privileges and no user interaction required creates a serious exposure for organizations running internet-facing or poorly segmented on-premises collaboration servers.

The sample article gets one important thing wrong in tone. It calls the flaw critical, but the official score Microsoft assigned is 6.5, not critical. The real reason this story matters is the confirmed exploitation, not the numeric severity label.

Affected SharePoint versions and patch details

Microsoft says the following SharePoint products received fixes on April 14:

ProductUpdateBuild
SharePoint Server Subscription EditionKB500285316.0.19725.20210
SharePoint Server 2019KB500285416.0.10417.20114
SharePoint Server 2016KB500286116.0.5548.1003

These April 14 updates are part of Microsoft’s broader Office and SharePoint security release for the month. Microsoft’s support pages also note that the fixes address CVE-2026-32201 along with CVE-2026-20945 in the affected SharePoint builds.

For SharePoint Server 2016, Microsoft also warns that customers running SharePoint Workflow Manager must install KB5002799 before applying the cumulative update. That note appears in Microsoft’s official guidance for KB5002861.

What defenders should do next

Organizations running on-premises SharePoint should patch these servers immediately. They should also review exposure from internet-facing instances, since SharePoint remains a common enterprise platform and often sits close to sensitive internal content and authentication flows.

Security teams should not stop at patching alone. Because Microsoft and CISA both confirm active exploitation, defenders should inspect logs and surrounding infrastructure for suspicious access patterns, spoofing-related activity, and any signs that attackers tried to abuse exposed SharePoint services before updates were applied.

CISA’s guidance is blunt. Agencies should apply mitigations per vendor instructions, follow existing binding guidance for cloud services where relevant, or discontinue use if mitigations are unavailable. Private sector defenders will likely treat that as a strong signal to move fast as well.

Immediate response checklist

  • Patch SharePoint Server Subscription Edition, 2019, and 2016 with the April 14 security updates.
  • Check whether any SharePoint instances are directly exposed to the internet.
  • Review SharePoint and web server logs for suspicious remote activity.
  • Inspect authentication events and access patterns for anomalies.
  • Tighten segmentation and external access rules until patching is complete.
  • For SharePoint 2016 environments using Workflow Manager, install KB5002799 first.

FAQ

What is CVE-2026-32201?

It is a Microsoft SharePoint Server improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.

Is this SharePoint vulnerability actively exploited?

Yes. Microsoft marked it as exploited, and CISA added it to the Known Exploited Vulnerabilities catalog on April 14, 2026.

Which SharePoint versions are affected?

SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.

Is the flaw critical?

No. Microsoft’s CVSS 3.1 base score is 6.5, which is medium. The urgent part is the in-the-wild exploitation, not a critical severity label.

What patches fix it?

KB5002853 for SharePoint Server Subscription Edition, KB5002854 for SharePoint Server 2019, and KB5002861 for SharePoint Server 2016.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages