⚖️ Risk Mgmt

CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow

CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.

4 min read
#microsoft#sharepoint#zero-day#cisa-kev#patch-tuesday#risk-management#cve#no-patch

On the eve of Microsoft’s April 2026 Patch Tuesday, CISA has added CVE-2026-32201 — a SharePoint Server spoofing vulnerability — to its Known Exploited Vulnerabilities catalogue. The timing creates a narrow but meaningful decision window for security teams: Microsoft has confirmed that active exploitation is occurring, CISA has demanded federal agency remediation by 28 April, yet the patch will only be available from tomorrow’s Patch Tuesday release.

The Vulnerability

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server with a CVSS score of 6.5. Exploitation allows an attacker who has obtained authenticated access to a SharePoint installation to view sensitive information that should be inaccessible to them and to make modifications to disclosed content — effectively bypassing information barrier controls and read/write access restrictions within SharePoint.

The relatively modest CVSS score understates the operational risk in environments where SharePoint is used to store sensitive documents, finance data, HR records, legal materials, or intellectual property. An attacker already present in the environment — via phishing, credential theft, or any other initial access vector — can leverage this flaw to escalate their information access and modify documents without leaving obvious evidence of direct file manipulation.

The No-Patch Window

CISA’s addition of an unpatched vulnerability to the KEV catalogue is uncommon but not unprecedented. It signals that exploitation is sufficiently active that agencies cannot be left waiting for a patch announcement. Microsoft’s acknowledgement of in-the-wild exploitation in its own pre-release communications sets the expectation that tomorrow’s Patch Tuesday will include the fix.

The practical question for security operations teams is how to handle the next 12–18 hours:

Option 1 — Accept the risk and patch tomorrow: Reasonable if your SharePoint deployment is not internet-facing, your access controls are tightly managed, and you have confidence that your current monitoring would detect anomalous SharePoint access patterns.

Option 2 — Implement immediate mitigations: For internet-accessible SharePoint deployments, consider temporarily restricting external access or enabling additional logging and alerting on document access and modification activity until the patch is available and tested.

CISA’s Second KEV Addition on April 14

Alongside CVE-2026-32201, CISA also added CVE-2009-0238 — a 17-year-old Microsoft Office remote code execution vulnerability — to the KEV catalogue. The 2009 flaw affects Excel and exploits a malformed XLS file to achieve RCE in the Office process context. The addition of a 2009 CVE to the active exploitation list in 2026 is a stark reminder that vulnerability age is not a reliable proxy for reduced exploitation risk, particularly in environments running legacy Office versions.

Risk Management Implications

This incident illustrates a structural challenge in vulnerability risk management: CISA’s KEV catalogue moves at the pace of attacker activity, while vendor patch cycles move at the pace of quality assurance and release management. The gap between exploitation confirmation and patch availability — even when it is measured in hours, as here — forces organisations to make explicit risk acceptance decisions rather than defaulting to “patch when available.”

Organisations should review whether their vulnerability management policy:

  • Has a defined posture for CISA KEV additions where no vendor patch exists yet
  • Requires compensating controls to be documented and approved when patching cannot be completed within the KEV remediation window
  • Has an escalation path to risk owners when a zero-day affects critical systems
  1. Apply the SharePoint patch from tomorrow’s Patch Tuesday immediately. Do not wait for your standard weekly or monthly patch cycle — Microsoft confirms active exploitation.
  2. For internet-exposed SharePoint deployments, consider temporarily restricting unauthenticated access or enabling enhanced audit logging on document access and modification events until the patch is deployed.
  3. Review SharePoint access controls today: ensure that sensitive document libraries have appropriate permissions and that access is scoped to the minimum necessary — this limits the blast radius of any exploitation attempt.
  4. Monitor SharePoint ULS logs for unexpected document access patterns, cross-site browsing, or bulk enumeration activity — indicators that the vulnerability is being used for information gathering.
  5. Apply CVE-2009-0238 patches — verify that Office installations across your fleet have the patch applied and that legacy Excel versions are not in use on any managed endpoints.

Share this article