Microsoft: Microsoft SharePoint Server 0-Day Vulnerability Actively Exploited in Attacks

Critical Zero-Day in Microsoft SharePoint Server Actively Exploited

On April 14, 2026, Microsoft confirmed active exploitation of a zero-day spoofing vulnerability (CVE-2026-32201) in Microsoft SharePoint Server as part of its monthly security updates. The flaw, rated 6.5 (Important) on the CVSS scale with a temporal score of 6.0, affects multiple versions of SharePoint Server due to improper input validation (CWE-20), allowing unauthenticated remote attackers to conduct spoofing attacks over a network.

The vulnerability requires no privileges or user interaction, with a low attack complexity, making it an accessible entry point for threat actors. Successful exploitation could enable attackers to view sensitive data and tamper with disclosed information, though system availability remains unaffected. Despite a low individual impact on confidentiality and integrity, the confirmed active exploitation and lack of authentication requirements significantly increase real-world risk.

Microsoft’s advisory flags the flaw as "Exploitation Detected", with functional exploit code and confirmed report confidence, indicating it was weaponized as a true zero-day before disclosure. The company released emergency patches for all affected versions:

• SharePoint Server Subscription Edition (KB5002853, Build 16.0.19725.20210)
• SharePoint Server 2019 (KB5002854, Build 16.0.10417.20114)
• SharePoint Enterprise Server 2016 (KB5002861, Build 16.0.5548.1003)

Given SharePoint’s widespread enterprise adoption, the vulnerability presents a high-value target for nation-state actors and financially motivated threat groups. Spoofing flaws in collaboration platforms can facilitate lateral movement, credential harvesting, or business email compromise (BEC) attacks. Organizations with on-premises deployments particularly those using 2016 or 2019 versions are advised to prioritize patching due to confirmed in-the-wild exploitation. Microsoft credited coordinated disclosure efforts from the security community in addressing the flaw.

Source: https://cybersecuritynews.com/sharepoint-server-0-day-vulnerability/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1776227109",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology/Enterprise Software',
                        'location': 'Global',
                        'name': 'Microsoft SharePoint Server',
                        'type': 'Software'}],
 'attack_vector': 'Network',
 'customer_advisories': 'Organizations advised to apply emergency patches '
                        'immediately.',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive data'},
 'date_detected': '2026-04-14',
 'date_publicly_disclosed': '2026-04-14',
 'description': 'Microsoft confirmed active exploitation of a zero-day '
                'spoofing vulnerability (CVE-2026-32201) in Microsoft '
                'SharePoint Server. The flaw, rated 6.5 (Important) on the '
                'CVSS scale, affects multiple versions of SharePoint Server '
                'due to improper input validation (CWE-20), allowing '
                'unauthenticated remote attackers to conduct spoofing attacks. '
                'Successful exploitation could enable attackers to view '
                'sensitive data and tamper with disclosed information.',
 'impact': {'data_compromised': 'Sensitive data',
            'operational_impact': 'Tampering with disclosed information',
            'systems_affected': 'Microsoft SharePoint Server (Subscription '
                                'Edition, 2019, 2016)'},
 'investigation_status': 'Confirmed exploitation detected',
 'motivation': ['Data exfiltration',
                'Credential harvesting',
                'Business Email Compromise (BEC)'],
 'post_incident_analysis': {'corrective_actions': 'Emergency patches released '
                                                  'for affected SharePoint '
                                                  'Server versions.',
                            'root_causes': 'Improper input validation '
                                           '(CWE-20)'},
 'recommendations': 'Organizations with on-premises SharePoint deployments '
                    '(especially 2016 or 2019 versions) should prioritize '
                    'patching due to confirmed in-the-wild exploitation.',
 'references': [{'date_accessed': '2026-04-14',
                 'source': 'Microsoft Security Advisory'}],
 'response': {'communication_strategy': 'Microsoft advisory',
              'containment_measures': 'Emergency patches released',
              'remediation_measures': ['KB5002853 (SharePoint Server '
                                       'Subscription Edition)',
                                       'KB5002854 (SharePoint Server 2019)',
                                       'KB5002861 (SharePoint Enterprise '
                                       'Server 2016)']},
 'stakeholder_advisories': 'Microsoft credited coordinated disclosure efforts '
                           'from the security community.',
 'threat_actor': ['Nation-state actors', 'Financially motivated threat groups'],
 'title': 'Critical Zero-Day in Microsoft SharePoint Server Actively Exploited',
 'type': 'Zero-Day Exploitation',
 'vulnerability_exploited': 'CVE-2026-32201 (Improper Input Validation - '
                            'CWE-20)'}