Microsoft SharePoint Server 0-Day Vulnerability Actively Exploited in Attacks - CyberSecurityNews

HomeCyber Security News Microsoft SharePoint Server 0-Day Vulnerability Actively Exploited in Attacks By Guru Baran April 15, 2026 A critical zero-day spoofing vulnerability in Microsoft SharePoint Server is being actively exploited in the wild, Microsoft confirmed on April 14, 2026, as part of its monthly security update cycle. Tracked as CVE-2026-32201, the flaw affects multiple versions of SharePoint Server and has been assigned a CVSS base score of 6.5 (Important), with an adjusted temporal score of 6.0 reflecting the availability of an official fix. The vulnerability stems from improper input validation (CWE-20) in Microsoft Office SharePoint, allowing an unauthenticated remote attacker to perform spoofing attacks over a network. With an attack vector classified as Network, attack complexity rated Low, and no privileges or user interaction required, the flaw presents a low-barrier entry point for threat actors targeting enterprise SharePoint deployments. According to Microsoft’s advisory, successful exploitation could allow an attacker to view some sensitive information and tamper with disclosed data, though the availability of the targeted resource remains unaffected. While the individual impact on confidentiality and integrity is rated Low, the combination of no authentication requirements and confirmed active exploitation significantly elevates real-world risk. 0-Day Actively Exploited in the Wild Microsoft’s advisory confirms the vulnerability carries an “Exploitation Detected” assessment, meaning active attacks have already been observed prior to the patch release. The exploit code maturity is flagged as Functional, and report confidence is Confirmed, a combination that places this vulnerability at the top of enterprise patching priority lists. The flaw was not publicly disclosed before Microsoft’s patch release, suggesting it may have been weaponized as a true zero-day by threat actors before a coordinated disclosure was possible. Microsoft has released security updates for all three affected SharePoint Server versions: SharePoint Server Subscription Edition — KB5002853, Build 16.0.19725.20210 SharePoint Server 2019 — KB5002854, Build 16.0.10417.20114 SharePoint Enterprise Server 2016 — KB5002861, Build 16.0.5548.1003 All three updates were released on April 14, 2026, and Microsoft has marked customer action as required for each affected product. Organizations should treat these patches as emergency updates, given the confirmed exploitation status. Apply the respective security updates immediately for all affected SharePoint Server versions Audit SharePoint Server access logs for unusual network-based spoofing activity or anomalous authentication patterns Restrict external-facing SharePoint instances where possible until patches are applied Monitor threat intelligence feeds for indicators of compromise (IOCs) associated with active exploitation campaigns Ensure SharePoint Server instances are not exposed directly to the internet without additional layered defenses such as WAF rules or network segmentation SharePoint Server remains one of the most widely deployed enterprise collaboration platforms globally, making it a high-value target for both nation-state actors and financially motivated threat groups. Spoofing vulnerabilities in collaboration tools can be leveraged as initial footholds for lateral movement, credential harvesting, or business email compromise-style attacks. Organizations running on-premises SharePoint deployments, particularly those still on the 2016 or 2019 versions, are urged to prioritize this patch given the confirmed in-the-wild exploitation. Microsoft has acknowledged the security community’s coordinated disclosure efforts in connection with this vulnerability. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use Outlook Mailboxes to Hide Linux GoGra Backdoor Communications Malicious npm Package Turns Hugging Face Into Malware CDN and Exfiltration Backend Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution Void Dokkaebi Hackers Use Fake Job Interviews to Spread Malware via Code Repositories Latest News Cyber Security ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants Cyber Security News Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks Cyber Security News New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials Cyber Security News New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection Uncategorized Hackers Using Fake Income Tax Department’s Notice to Deploy Malware