Zero-Day Security Alert — April 15, 2026: Microsoft SharePoint Server Spoofing Actively Exploited
- Jacob Hughes
- Apr 15
- 2 min read
CVE-2026-32201: Microsoft SharePoint Server improper input validation vulnerability (CVSS 6.5) is actively exploited in the wild per CISA KEV. Apply Microsoft mitigations immediately to block network-based spoofing attacks.
Daily Security Briefing
April 15, 2026
CVE-2026-32201 | CVSS 6.5 | Medium Severity | Actively Exploited in the Wild
Affected Product
Microsoft SharePoint Server — Subscription Edition (versions before 16.0.19725.20210), SharePoint Server 2016 Enterprise, and SharePoint Server 2019.
Description
An improper input validation flaw (CWE-20) in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. The weakness affects both on-premises SharePoint Server deployments and Subscription Edition, and CISA confirmed active exploitation on April 14, 2026, adding the CVE to the Known Exploited Vulnerabilities catalog.
Attack Vector
Network-based (AV:N) with low attack complexity and no privileges or user interaction required (PR:N/UI:N). An unauthenticated remote attacker can send crafted input to a SharePoint endpoint to spoof identity or content, impacting confidentiality and integrity of the SharePoint farm. Because the attack needs no credentials and no user action, internet-exposed SharePoint instances face the highest risk.
Remediation
Apply the April 2026 Microsoft security updates per the vendor advisory at msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201. For SharePoint Subscription Edition, upgrade to build 16.0.19725.20210 or later. For SharePoint 2016 and 2019, install the corresponding security updates from the MSRC guide. Until patches are applied, restrict network access to SharePoint endpoints, enforce WAF rules that inspect SharePoint request parameters, review audit logs for anomalous SharePoint authentication or content modification events, and follow BOD 22-01 guidance if the service is cloud-hosted. Discontinue use of unsupported SharePoint versions that cannot be patched.
CISA Remediation Due Date: April 28, 2026
This report is generated automatically from NVD and CISA KEV data.
Comments