SharePoint Spoofing Bug CVE-2026-32201 — CISA’s Federal Patch Deadline Is Today

Microsoft disclosed CVE-2026-32201 in its April Patch Tuesday update on 14 April, and the US Cybersecurity and Infrastructure Security Agency (CISA) immediately added it to the Known Exploited Vulnerabilities catalogue with a federal remediation deadline of 28 April 2026 — today. The bug is a pre-authentication spoofing flaw in on-premises SharePoint Server that lets an unauthenticated attacker impersonate legitimate users with a specially crafted network request. Two weeks on, Cyber Security News reports more than 1,370 internet-facing SharePoint instances are still exposed, and exploitation is being seen in the wild.

Why this matters for Australian businesses: any on-prem SharePoint 2016, 2019 or Subscription Edition reachable from the internet is in scope. Once an attacker is treated as a legitimate user, they can read sensitive documents, exfiltrate data and pivot into the rest of your network. Wealth managers, NFPs and councils that use SharePoint for client files or board papers should treat this as a Privacy Act exposure, not just an IT one — sensitive personal information is precisely the data this flaw lets attackers reach.

What to do today: install Microsoft’s April 2026 SharePoint security update on every on-prem server. If you genuinely can’t patch in the next 24 hours, take the SharePoint web front-ends off the public internet until you can. Then check your logs for unusual authentication events from 14 April onwards — if you see signs of compromise, treat it as an incident and trigger your data-breach response plan.

If you’re not sure whether your SharePoint estate is patched or exposed, our cybersecurity team can audit it and apply the fix the same day.