🛡️ Microsoft Patches Actively Exploited SharePoint Zero‑Day – CVE-2026-32201

If you run an on‑premises SharePoint Server, you have another zero‑day to patch – and attackers are already using it.

Microsoft has confirmed that CVE-2026-32201, a spoofing vulnerability in Microsoft Office SharePoint, is being actively exploited in the wild. The company released a fix as part of its April 2026 Patch Tuesday updates on April 14, 2026.

The vulnerability carries a CVSS score of 6.5 (Important). An authenticated attacker could exploit the flaw to perform spoofing over a network, potentially tricking users into visiting malicious SharePoint‑hosted content or divulging credentials.

What Microsoft says: According to the official Microsoft Security Response Center (MSRC) advisory, the attacker would need to convince a victim to click a specially crafted URL. The vulnerability affects SharePoint Server 2019, SharePoint Server 2022, and SharePoint Server Subscription Edition.

CISA adds to KEV catalog: On April 14, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog, giving federal agencies until April 28, 2026 to apply the patch.

What you should do right now:

🔴 Immediate (today)
- Apply the April 2026 cumulative update for your version of SharePoint Server via Microsoft Update or the Microsoft Download Center.
- If you cannot patch immediately, consider disabling SharePoint's ability to parse certain file types or restrict external sharing as a temporary workaround.

🟠 This week
- Review audit logs for any suspicious POST requests to SharePoint endpoints.
- Remind users not to click links in unexpected SharePoint notifications or emails, even if they appear internal.

🟢 Long‑term
- Keep SharePoint Server on the latest supported build.
- Subscribe to Microsoft’s Security Update Guide RSS feed so you never miss an out‑of‑band patch.

Wait – does this affect SharePoint Online?

No. Microsoft has stated that SharePoint Online is not affected by this vulnerability. Only on‑premises versions of SharePoint Server require the update.

The bottom line: Another month, another actively exploited SharePoint flaw. The good news is that a patch exists. The bad news is that attackers are already scanning for unpatched servers.

Apply the April 2026 cumulative update. Don't wait for the weekend.

Sources: Microsoft Security Response Center (April 14, 2026), CISA KEV Catalog (April 14, 2026), NVD CVE-2026-32201 entry.