Critical SharePoint Zero-Day Actively Exploited — Patch Now
CVE-2026-32201 is actively exploited against SharePoint Server. Here is how to protect your environment.
Microsoft released its April patch yesterday. Among 167 fixed vulnerabilities, one stands out: CVE-2026-32201, a spoofing vulnerability in SharePoint Server that is already being actively exploited by attackers.
What happened
The vulnerability allows an unauthenticated attacker to spoof trusted content in SharePoint through improper input validation. In practice, an attacker can create convincing phishing pages or manipulate data directly in SharePoint — without logging in first.
CISA added CVE-2026-32201 to its KEV catalog on April 14, confirming active exploitation in the wild. This is not a theoretical risk.
Why it matters for SMBs
Many organizations with 10-50 employees still run SharePoint Server on-premises or in hybrid configuration with SharePoint Online. If you have a SharePoint server exposed to the internet — or communicating with your M365 environment — you need to act.
Hybrid installations inherit the vulnerabilities of their on-prem components. Running some workloads in the cloud does not eliminate the risk.
What you should do
- Install the security update immediately. The April 2026 Patch Tuesday update fixes CVE-2026-32201.
- Inventory your SharePoint installations. Do you know exactly which SharePoint Server instances exist in your environment? Hybrid configurations?
- Review exposure. Is SharePoint Server accessible from the internet? What authentication methods are in use?
- Consider migration. If you are still running SharePoint on-prem, there are strong reasons to move to SharePoint Online.
How HaggeBurger can help
We offer a quick SharePoint security check (2 hours) where we verify patch status and hybrid configuration. For organizations with more complex infrastructure, a half-day security assessment can cover the full SharePoint environment. Get in touch and we will schedule a review.