Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Medium-severity flaw in Microsoft SharePoint exploited

The flaw should be taken seriously, despite its relatively low score, according to researchers.

Published April 15, 2026 Updated April 16, 2026
David Jones's headshot
Reporter
The Microsoft logo is pictures on the technology company's headquarters in Redmond, Washington, on July 3, 2024.
Microsoft's headquarters in Redmond, Washington, on July 3, 2024. A medium-severity flaw in SharePoint is facing exploitation as of April 14, 2026. Getty Images

Researchers warn that hackers are exploiting a medium-grade flaw in Microsoft SharePoint. 

The vulnerability, tracked as CVE-2026-32201, stems from improper input validation in SharePoint, which allows an unauthorized attacker to conduct spoofing activity over a network. The vulnerability has a severity score of 6.5. 

A successful attack can allow a hacker to view and make changes to confidential information, according to a security update from Microsoft.

Researchers from threat intelligence firm Defused posted to X saying they are tracking a coordinated reconnaissance campaign targeting SharePoint across four IPs. 

The activity involves four hosting providers sequenced from April 1 to April 11. 

The Cybersecurity and Infrastructure Security Agency on Wednesday added the vulnerability to the Known Exploited Vulnerabilities catalog.

Microsoft initially offered limited details about the spoofing vulnerability, confirming that it was “mitigated,” according to a spokesperson.

The company later shared some additional guidance, which included mitigation steps. The guidance also referenced a separate cross-site scripting vulnerability in SharePoint, tracked as CVE-2026-20945, which involves the improper neutralization of input during web page generation. The cross-site scripting vulnerability has not been exploited, according to Microsoft..  

The disclosure comes about a month after a prior SharePoint vulnerability, tracked as CVE-2026- 20963, was added to the KEV catalog by CISA. That vulnerability is due to deserialization of untrusted data and has a severity score of 9.8.

Hundreds of SharePoint customers were targeted in a massive exploitation campaign in 2025, dubbed ToolShell. The 2025 campaign involved targeting of a remote code injection flaw, tracked as CVE-2025-49704 and a network spoofing vulnerability, tracked as CVE-2025-49706.

Editor’s note: Updates with additional information from Microsoft.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
Oliver Rochford in Collaboration With Daylight Security: The Governance Gap in AI-Driven Secur…
From Jake Smiths
April 15, 2026
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
Blackpoint Cyber Releases 2026 Threat Report
From Blackpoint Cyber
April 07, 2026
Blackpoint Cyber logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell