Microsoft SharePoint 0-Day Actively Exploited in Attacks

A critical zero-day spoofing vulnerability impacting Microsoft SharePoint Server is under active exploitation, Microsoft confirmed on April 14, 2026. The company disclosed the ongoing attacks as part of its monthly security update cycle.

Tracked as CVE-2026-32201, the flaw affects multiple versions of SharePoint Server and has been assigned a CVSS base score of 6.5 (Important), with an adjusted temporal score of 6.0 reflecting the availability of an official fix.

The vulnerability stems from improper input validation (CWE-20) in Microsoft Office SharePoint, allowing an unauthenticated remote attacker to perform spoofing attacks over a network.

With an attack vector classified as Network, attack complexity rated Low, and no privileges or user interaction required, the flaw presents a low-barrier entry point for threat actors targeting enterprise SharePoint deployments.

According to Microsoft’s advisory, successful exploitation could allow an attacker to view some sensitive information and tamper with disclosed data, though the availability of the targeted resource remains unaffected.

While the individual impact on confidentiality and integrity is rated Low, the combination of no authentication requirements and confirmed active exploitation significantly elevates real-world risk.

0-Day Actively Exploited in the Wild

Microsoft’s advisory confirms the vulnerability carries an “Exploitation Detected” assessment, meaning active attacks have already been observed prior to the patch release.

The exploit code maturity is flagged as Functional, and report confidence is Confirmed, a combination that places this vulnerability at the top of enterprise patching priority lists.

The flaw was not publicly disclosed before Microsoft’s patch release, suggesting it may have been weaponized as a true zero-day by threat actors before a coordinated disclosure was possible.

Microsoft has released security updates for all three affected SharePoint Server versions:

• SharePoint Server Subscription Edition — KB5002853, Build 16.0.19725.20210
• SharePoint Server 2019 — KB5002854, Build 16.0.10417.20114
• SharePoint Enterprise Server 2016 — KB5002861, Build 16.0.5548.1003

All three updates were released on April 14, 2026, and Microsoft has marked customer action as required for each affected product. Organizations should treat these patches as emergency updates, given the confirmed exploitation status.

• Apply the respective security updates immediately for all affected SharePoint Server versions
• Audit SharePoint Server access logs for unusual network-based spoofing activity or anomalous authentication patterns
• Restrict external-facing SharePoint instances where possible until patches are applied
• Monitor threat intelligence feeds for indicators of compromise (IOCs) associated with active exploitation campaigns
• Ensure SharePoint Server instances are not exposed directly to the internet without additional layered defenses such as WAF rules or network segmentation

SharePoint Server remains one of the most widely deployed enterprise collaboration platforms globally, making it a high-value target for both nation-state actors and financially motivated threat groups.

Spoofing vulnerabilities in collaboration tools can be leveraged as initial footholds for lateral movement, credential harvesting, or business email compromise-style attacks.

Organizations running on-premises SharePoint deployments, particularly those still on the 2016 or 2019 versions, are urged to prioritize this patch given the confirmed in-the-wild exploitation.

Microsoft has acknowledged the security community’s coordinated disclosure efforts in connection with this vulnerability.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.