Η Microsoft announced on April 14, 2026, during the monthly security update cycle, a serious vulnerability in Microsoft SharePoint Server which has begun to be actively exploited by attackers. This vulnerability, known as CVE-2026-32201, has been rated with a CVSS baseline score of 6,5 (Important), indicating the severity of the threat.
Vulnerability arises from improper input validation (CWE-20) in Microsoft Office SharePoint, allowing an unauthenticated remote attacker to perform spoofing attacks over a network. The nature of the attack is characterized as Network, the complexity of which is Low and no additional permissions or user interaction are required, making it accessible to threat actors.
The consequences of this exploit could allow attackers to gain access to sensitive information and compromise data, although the availability of the targeted resource remains unaffected. However, the combined lack of authentication and active exploits make the actual risk much higher.
0-Day Vulnerability in the Open Field
According to Microsoft, the vulnerability has been classified as Exploitation detected, meaning that active attacks have been observed before the update was released. The maturity of the exploit code falls into the category Functional, confirming the concern for customer safety.
The vulnerability had not been publicly disclosed prior to the release of the update, suggesting that it was likely exploited as a true zero-day by attackers before remediation became possible.
To protect users, Microsoft has released security updates for the three versions of SharePoint Server:
- SharePoint Server Subscription Edition — KB5002853, Build 16.0.19725.20210
- SharePoint Server 2019 — KB5002854, Build 16.0.10417.20114
- SharePoint Enterprise Server 2016 — KB5002861, Build 16.0.5548.1003
These updates are considered urgent and organizations are urged to implement them immediately. Managing the threat requires caution and quick steps to avoid potential breaches.
Recommendations for Organizations
Organizations using SharePoint Server are asked to consider the following actions:
- Apply the corresponding security updates immediately.
- Check access logs for suspicious network spoofing activities.
- Limit external SharePoint views until updates are applied.
- Monitor threat intelligence feeds for indicators of compromise.
- Ensure that SharePoint Server instances are not exposed directly to Internet without adequate protective measures.
SharePoint Server is one of the most popular enterprise collaboration platforms worldwide, making it a target for attacks by criminals and organized groups. Phishing vulnerabilities can facilitate attacks aimed at harvesting credentials or compromising business emails.
In summary, organizations running on-premises SharePoint installations, particularly those using the 2016 or 2019 versions, should prioritize patching this critical vulnerability immediately.
Microsoft appreciates the security community's coordinated disclosure efforts regarding this vulnerability and their continued collaboration to protect users.
