MICROSOFT released its April 2026 Patch Tuesday updates fixing 165 non‑Edge vulnerabilities, including a SharePoint zero‑day that had already been exploited in the wild according to SecurityWeek.
The actively exploited flaw is tracked as CVE-2026-32201, a spoofing issue with a CVSS score of 6.5 caused by improper input validation in Microsoft Office SharePoint that lets a remote attacker impersonate a user and read or modify sensitive data as noted in the NVD entry.
Other notable flaws patched in the same update include CVE-2026-33825 (a Defender privilege‑escalation vulnerability, CVSS 7.8), CVE-2026-33826 (an Active Directory remote code execution flaw, CVSS 8.0) and CVE-2026-33827 (a Windows TCP/IP race condition leading to remote code execution, CVSS 8.1), plus CVE-2026-32190, an Office remote code execution bug rated CVSS 8.4 as highlighted by ISC Sans.
Microsoft said the SharePoint zero‑day had been seen in the wild before the patch, though no threat actor has been linked to the activity; the exploit was observed alongside several of the other weaknesses addressed in the update per an early warning from INCIBE.
The Patch Tuesday release also fixed seven additional critical bugs and 154 important ones, showing that attackers continue to target on‑premises collaboration products as a gateway to broader network access.
Defenders should apply the April 2026 updates to all SharePoint servers without delay, prioritize systems that expose the service to the internet, and then run a full scan of logs for unusual authentication requests or unexpected changes to site permissions.
Additionally, administrators are encouraged to restrict SharePoint traffic to trusted network zones, enforce multi‑factor authentication for admin accounts, and enable intrusion‑detection signatures that flag the specific CVE identifiers to catch any post‑exploitation attempts.