SharePoint vulnerability CVE-2026-32201 — patch now, attackers are active

Microsoft released a patch yesterday, April 14, for CVE-2026-32201 — a SharePoint Server vulnerability already under active exploitation. CISA added it to the KEV catalog the same day. Federal agencies have a hard remediation deadline. You should treat it the same way.

The root cause is improper input validation that lets an unauthenticated attacker spoof legitimate network requests. It affects SharePoint Server Subscription Edition, 2019, and Enterprise 2016. The fix shipped as part of April Patch Tuesday, alongside 166 other bulletins.

Why Swedish SMBs should care

Plenty of smaller Swedish companies still run SharePoint Server in hybrid mode, often because the migration to SharePoint Online stalled half-way. That is exactly the configuration now exposed. A successful attack on hybrid SharePoint usually pivots into Entra ID through AD Connect and onward to the full M365 tenant.

If you're on M365 Business Premium, believe you're fully in the cloud, but still have a SharePoint box talking to on-prem Exchange or Teams — you are affected.

What to do

1. Inventory every SharePoint Server install, including hybrid. Verify build numbers against Microsoft's April release notes.
2. Run the April patch in a pilot ring within 24 hours, broad rollout within 72 hours.
3. Check IIS logs for the last 14 days for unusual _layouts/ requests from unknown IPs.
4. If you haven't already — require device compliance via Conditional Access for SharePoint access.

This is not a patch you postpone until next maintenance window. The CISA deadline exists for a reason.

How HaggeBurger can help

We run a two-hour Quick Check on your SharePoint patch state, verify hybrid integrity, and give you a written assessment you can hand to auditors or the board. If you want to kill the on-prem dependency entirely, we have a fixed-price SharePoint Online Migration Accelerator that runs in 2–4 weeks.

Want us to review your environment? Get in touch.