Critical Zero-Day Vulnerability in Microsoft SharePoint Server Actively Exploited
On April 14, 2026, Microsoft disclosed a critical zero-day vulnerability in SharePoint Server, identified as CVE-2026-32201. This flaw, stemming from improper input validation (CWE-20), allows unauthenticated remote attackers to perform spoofing attacks over a network. The vulnerability affects multiple versions of SharePoint Server, including Subscription Edition, 2019, and Enterprise Server 2016.
The vulnerability has been assigned a CVSS base score of 6.5, with an adjusted temporal score of 6.0, reflecting the availability of an official fix. Despite the individual impact on confidentiality and integrity being rated as low, the combination of no authentication requirements and confirmed active exploitation significantly elevates the real-world risk.
Microsoft’s advisory confirms that the vulnerability carries an Exploitation Detected assessment, indicating that active attacks have already been observed prior to the patch release. The exploit code maturity is flagged as functional, and report confidence is confirmed, placing this vulnerability at the top of enterprise patching priority lists.
To mitigate the risk, Microsoft has released security updates for all affected SharePoint Server versions:
– SharePoint Server Subscription Edition — KB5002853, Build 16.0.19725.20210
– SharePoint Server 2019 — KB5002854, Build 16.0.10417.20114
– SharePoint Enterprise Server 2016 — KB5002861, Build 16.0.5548.1003
Organizations are strongly advised to apply these updates immediately. Additionally, auditing SharePoint Server access logs for unusual network-based spoofing activity or anomalous authentication patterns is recommended. Restricting external-facing SharePoint instances where possible until patches are applied can further reduce risk. Monitoring threat intelligence feeds for indicators of compromise associated with active exploitation campaigns is also crucial. Ensuring that SharePoint Server instances are not exposed directly to the internet without additional layered defenses, such as web application firewall rules or network segmentation, is essential.
Given SharePoint Server’s widespread deployment as an enterprise collaboration platform, it remains a high-value target for both nation-state actors and financially motivated threat groups. Spoofing vulnerabilities in collaboration tools can be leveraged as initial footholds for lateral movement, credential harvesting, or business email compromise-style attacks. Organizations running on-premises SharePoint deployments, particularly those still on the 2016 or 2019 versions, are urged to prioritize this patch due to the confirmed in-the-wild exploitation.
