Microsoft has confirmed that a critical zero-day vulnerability, CVE-2026-32201, in SharePoint Server is being actively exploited. Attackers can gain access to sensitive data without logging in. Patches are available—apply them immediately.
This critical vulnerability allows unauthenticated attackers to spoof their identity and gain access to sensitive corporate data. Microsoft released patches on April 14, 2026—deployment is urgent.
A vulnerability that existed before a fix was released
Microsoft has confirmed active exploitation of a critical vulnerability in SharePoint Server identified as CVE-2026-32201. This is a so-called zero-day vulnerability—that is, a flaw that was being exploited by attackers even before the vendor had a chance to release a fix. The vulnerability was disclosed on April 14, 2026, as part of Microsoft’s regular monthly security cycle and received a CVSS score of 6.5, which classifies it as “important.”
What an attacker can do
The vulnerability arises from insufficient input validation (CWE-20) in the Microsoft Office SharePoint environment. An attacker can send a specially crafted request to a vulnerable server over the network—without any authentication and without requiring user interaction. Upon successful exploitation, the attacker can spoof their identity, gain access to sensitive information, and even modify that data. While the availability of the system itself is not compromised, the combination of a zero-barrier-to-entry and confirmed active exploitation makes this vulnerability an extremely real threat.
Who Is Affected
The vulnerability affects only on-premises installations of SharePoint Server—that is, versions that companies run on their own servers. Specifically, SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 are affected. Organizations using SharePoint Online as part of Microsoft 365 are not at risk from this vulnerability, as the cloud environment is managed directly by Microsoft.
Patches are available but must be actively deployed
Microsoft released security updates for all three affected versions simultaneously with the disclosure of the vulnerability. However, the release of the patch alone does not automatically protect companies that have not yet installed the update. This is the main risk at present—attackers can continue to target unpatched systems, and according to Microsoft, a working exploit has been confirmed.
What This Means in Practice
For organizations running SharePoint Server, the priority is to deploy the relevant updates immediately. It is also advisable to check the server’s access logs for any anomalous activity and verify that the server is not unnecessarily exposed directly to the internet without additional layers of protection, such as WAF rules or network segmentation. SharePoint is one of the most widely used enterprise platforms in the world, making it an attractive target for both state-sponsored groups and financially motivated attackers.