Skip to content
Breachroad
Back to the blog
Vulnerabilities

CVE-2026-32201: an exploited SharePoint zero-day

SharePoint is targeted again: CVE-2026-32201 scores 'only' 6.5 in CVSS but is actively exploited and in the KEV — proof the score isn't everything.

KR
Karol Rapacz
15 April 2026 · 5 min read
CVE-2026-32201: an exploited SharePoint zero-day

As part of April 2026’s Patch Tuesday, Microsoft fixed a record number of vulnerabilities — and among them an actively exploited zero-day in SharePoint Server: CVE-2026-32201. A curious detail that carries an important lesson: this flaw scores just 6.5 in CVSS. And yet it should be treated as urgent.

Why a low score doesn’t mean low risk

CVE-2026-32201 is a spoofing vulnerability in on-prem SharePoint. A score of 6.5 suggests “medium” severity — yet CISA added it to the KEV catalog and set federal agencies a hard remediation deadline. Why? Because what matters isn’t the theoretical rating, but the fact of active exploitation in attacks.

This is exactly the situation we describe in our piece on vulnerability prioritisation: a CVSS score alone can mislead. A 9.8 in a component you don’t use is less urgent than a “medium” 6.5 someone is exploiting right now on your internet-facing server.

Why SharePoint is an attractive target

  • On-prem instances are often exposed to the internet to enable remote work.
  • It stores data — documents, permissions, integrations with the rest of the environment.
  • A history of vulnerabilities means attackers know this target well and quickly weaponise exploits.

What to do

  1. Apply the April Patch Tuesday updates for SharePoint Server — prioritise internet-reachable instances.
  2. Check your exposure — does SharePoint need to be publicly accessible? If not, restrict access.
  3. Review logs for exploitation attempts and unusual activity.
  4. Wire the KEV into your process — a daily comparison of your components against the catalog of actively exploited flaws is one of the cheapest security investments there is.

The key takeaway: don’t prioritise by CVSS alone. Active exploitation beats any numeric score. If you’d like to set up a patching process based on real risk, get in touch.


Sources and further reading: CISA KEV, MSRC, The Hacker News.

Share this article

Services Book a consultation