A new SharePoint vulnerability has been added to the Known Exploited Vulnerabilities list by CISA in April 2026. Federal agencies must patch by 28 April, but the advice applies more broadly. What is the vulnerability, who is at risk, and what should you do?
In April 2026, a SharePoint vulnerability identified as CVE-2026-32201 was added to the Known Exploited Vulnerabilities catalogue by CISA, the US cybersecurity agency. Inclusion on this list means the vulnerability is no longer a theoretical risk: attackers are already using it in real attacks against organisations.
US federal agencies have until 28 April 2026 to patch their SharePoint environments. There is no legal deadline for Dutch organisations, but the implication is clear: this vulnerability is serious enough to act quickly.
CVE-2026-32201 is a vulnerability in Microsoft SharePoint that allows attackers to remotely execute malicious code on the SharePoint server. The flaw requires no authentication, meaning an attacker with access to the SharePoint instance can exploit it without valid credentials.
For SharePoint Online environments hosted by Microsoft itself, the patch is applied automatically. For on-premises SharePoint installations, still running at many organisations for compliance or historical reasons, the patching responsibility lies entirely with the organisation.
Three groups of organisations need to act immediately. First, organisations with SharePoint Server on-premises, regardless of whether it is internally accessible or exposed to the internet. Second, organisations with a hybrid SharePoint setup where some content still runs on a local server. Third, organisations that have SharePoint managed by an external provider where the patching cadence is unclear.
The first step is an inventory. Does your organisation still use SharePoint Server on-premises? If so, what version is it running and when was it last patched? Microsoft has released security updates for SharePoint Server 2016, 2019 and the Subscription Edition. These updates must be installed with the highest priority.
The second step is monitoring. Microsoft Defender for Endpoint and Microsoft Sentinel have added new detection rules for the specific attack patterns underlying CVE-2026-32201 in recent weeks. If you use Defender or Sentinel, check that these rules are active and that there are no recent alerts about SharePoint activity.
If you suspect your SharePoint server has already been compromised, contact a security specialist immediately. Symptoms can include unusual outbound connections from the SharePoint server, new accounts you did not create, modified file permissions or unexplained changes in SharePoint content.
Want certainty about the SharePoint status of your environment and the next steps you need to take? Contact Zarioh for a security scan.
