← CIO Briefings · High Impact ACTION REQUIRED

SharePoint Zero-Day Added to CISA KEV Before Patch Exists — Action Required Today

CISA has added an actively exploited SharePoint Server vulnerability (CVE-2026-32201) to its Known Exploited Vulnerabilities catalogue while no vendor patch exists. Microsoft's fix arrives in tomorrow's Patch Tuesday. Boards and security leaders face a rare decision: implement compensating controls now, or accept a confirmed zero-day exposure overnight.

3 min read
#DORA#NIS2#GDPR

What Happened

CISA has added CVE-2026-32201, an actively exploited Microsoft SharePoint Server vulnerability, to its Known Exploited Vulnerabilities catalogue — and no patch currently exists. Microsoft is expected to release the fix in tomorrow’s Patch Tuesday (15 April 2026). CISA’s 28 April remediation deadline applies, but the more pressing issue is the roughly 18-hour window between this alert and the patch becoming available.

The vulnerability allows an authenticated attacker to view sensitive information they should not have access to and to modify document content in SharePoint. “Authenticated” means any valid account — a phished employee, a compromised service account, or an insider — could leverage this flaw to bypass SharePoint’s information barrier controls.

Business Impact

SharePoint is widely used to store sensitive business content: contracts, financial models, HR records, legal documents, board materials, merger and acquisition documentation, and intellectual property. The flaw does not require the attacker to first obtain administrative access — any authenticated user can potentially access content they should be restricted from viewing.

The organisations at highest risk are those with:

  • Internet-accessible SharePoint deployments (SharePoint Online customers should verify whether on-premises deployments are also in scope — Microsoft has not yet specified)
  • Sensitive document libraries with information barriers protecting financial, legal, or confidential content
  • Shared SharePoint environments where contractors, partners, or broad internal audiences have authenticated access

Regulatory Implications

For organisations subject to DORA (financial sector), NIS2 (critical infrastructure and digital services), or GDPR, an actively exploited vulnerability in a document management platform that holds regulated data requires immediate risk assessment. DORA Article 17 requires financial entities to implement risk mitigation measures that ensure “continuity and availability” — which includes protecting data integrity against known active exploits.

Board-Ready Summary

  • A known attack is underway targeting the document management system widely used to store sensitive business content
  • The vendor patch arrives tomorrow — the next 18 hours represent the highest-risk window
  • Organisations with internet-exposed SharePoint and sensitive document libraries should take protective action tonight
  • The patch must be applied as a priority deployment tomorrow, not queued behind routine update cycles
  1. Tonight: Review whether your SharePoint Server deployments are internet-accessible. If yes, consider temporarily restricting external access or enabling enhanced access logging until the patch is available.
  2. Tomorrow morning: Apply the Patch Tuesday update for SharePoint immediately upon availability — do not queue this behind standard patch testing cycles given confirmed active exploitation.
  3. Audit SharePoint permissions: Use this as an opportunity to confirm that sensitive document libraries have tightly scoped permissions — reduce access to minimum necessary before the patch is deployed.
  4. Enable SharePoint audit logging if not already active — document access and modification logs will be essential for determining whether any exploitation occurred during this window.
  5. Notify information security leadership and legal counsel of the unpatched window — formal risk acceptance documentation should be in place for the overnight exposure period.