Critical Microsoft SharePoint Server 0-Day Actively Exploited
Key Takeaways A critical zero-day spoofing vulnerability in Microsoft SharePoint Server is being actively exploited in the wild. The flaw, CVE-2026-32201, affects SharePoint Server Subscription...
Key Takeaways
- A critical zero-day spoofing vulnerability in Microsoft SharePoint Server is being actively exploited in the wild.
- The flaw, CVE-2026-32201, affects SharePoint Server Subscription Edition, 2019, and 2016 versions.
- It allows unauthenticated remote attackers to perform spoofing attacks, potentially leading to information disclosure and data tampering.
- Microsoft released emergency security updates for all affected versions on April 14, 2026.
Microsoft SharePoint Server Zero-Day Under Active Exploitation
Microsoft has confirmed that a critical zero-day spoofing vulnerability impacting its SharePoint Server platform is currently under active exploitation. The revelation came on April 14, 2026, as part of the company’s routine monthly security update cycle, highlighting an urgent threat to organizations utilizing the popular enterprise collaboration software.
Table Of Content
Vulnerability Details and Impact
The flaw, identified as CVE-2026-32201, affects multiple iterations of SharePoint Server. Microsoft has assigned it an “Important” CVSS base score of 6.5, which has been adjusted to a temporal score of 6.0 due to the immediate availability of a patch. This vulnerability stems from inadequate input validation (CWE-20) within Microsoft Office SharePoint, creating an avenue for unauthenticated remote attackers to execute spoofing attacks across a network.
The vulnerability’s characteristics make it particularly attractive to threat actors. Its attack vector is classified as Network-based, with low attack complexity, and requires neither elevated privileges nor user interaction. These factors combine to create a low-barrier entry point for adversaries targeting enterprise SharePoint deployments.
Microsoft’s official advisory indicates that successful exploitation could enable attackers to gain unauthorized access to sensitive information and manipulate disclosed data. While the availability of the targeted resource remains unimpacted, the individual impact on confidentiality and integrity is rated as Low. However, the absence of authentication requirements, coupled with confirmed active exploitation, significantly elevates the real-world risk associated with this flaw.
In-the-Wild Exploitation Confirmed
The urgency surrounding CVE-2026-32201 is underscored by Microsoft’s “Exploitation Detected” assessment, confirming that active attacks were observed prior to the public release of patches. The exploit code maturity is rated as Functional, and report confidence is Confirmed, placing this vulnerability at the highest tier for enterprise patching priorities.
The fact that the flaw was not publicly known before Microsoft’s patch release suggests it was weaponized as a true zero-day by malicious actors before a coordinated disclosure could take place. This scenario demands immediate attention from IT security teams.
Available Patches
Microsoft has promptly released security updates for all three impacted SharePoint Server versions. These updates were made available on April 14, 2026, and Microsoft has explicitly stated that customer action is required for each affected product:
- SharePoint Server Subscription Edition: KB5002853, Build 16.0.19725.20210
- SharePoint Server 2019: KB5002854, Build 16.0.10417.20114
- SharePoint Enterprise Server 2016: KB5002861, Build 16.0.5548.1003
Organizations are strongly advised to treat these as emergency updates given the confirmed active exploitation status.
SharePoint Server remains a cornerstone of enterprise collaboration globally, making it a prime target for both state-sponsored and financially motivated threat groups. Spoofing vulnerabilities in such critical tools can serve as initial entry points for more extensive attacks, including lateral movement within networks, credential harvesting, or business email compromise (BEC) schemes.
Microsoft has acknowledged the security community’s collaborative efforts in the coordinated disclosure process for this vulnerability.
What You Should Do
- Immediately apply the respective security updates for all affected SharePoint Server versions.
- Thoroughly audit SharePoint Server access logs for any signs of unusual network-based spoofing activity or anomalous authentication patterns.
- Restrict external-facing SharePoint instances where feasible until all necessary patches have been successfully applied.
- Actively monitor relevant threat intelligence feeds for any indicators of compromise (IOCs) linked to active exploitation campaigns.
- Ensure that SharePoint Server instances are not directly exposed to the internet without robust layered defenses, such as Web Application Firewall (WAF) rules or stringent network segmentation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.