CRITICAL 5 min read 15 Apr 2026

Microsoft SharePoint — CVE-2026-32201 Active Exploitation

Microsoft and CISA confirmed active exploitation of a spoofing flaw in SharePoint (CVE-2026-32201) with a patch released within the reporting window. This is the most operationally urgent fresh vulnerability in the current cycle, with widespread relevance across UK/EU enterprise, government, and financial estates.

Key findings
01
Microsoft SharePoint Zero-Day Under Active Exploitation
HIGH
[High] Microsoft SharePoint is affected by CVE-2026-32201, a spoofing vulnerability that has entered active exploitation before patches were fully deployed. CISA added this flaw to the Known Exploited Vulnerabilities catalogue on 14 April 2026, confirming in-the-wild abuse.
CVE-2026-32201
02
Basic-Fit — 1 Million Member Data Breach
HIGH
[High] Basic-Fit disclosed a data breach affecting approximately 1 million members across its EU fitness club network. Exposed data includes names, dates of birth, and bank details — sufficient for identity fraud, phishing, and credential-reuse attacks.
03
Hallmark — Salesforce-Linked Breach After Extortion Failure
HIGH
[High] Hallmark disclosed a customer data breach after extortion attempts failed, with reporting suggesting exposure of between 1.7 million and 8 million records.
04
Zephyr Energy — £700,000 Payment Redirection Fraud
HIGH
[High] Zephyr Energy, a UK-listed oil and gas company, disclosed a £700,000 loss after a contractor payment was redirected to an attacker-controlled bank account. This is a clean business email compromise (BEC) case study showing how payment-process controls fail in real UK environments.
05
NCSC Issues Secure RF Guidance for OT Environments
HIGH
[High] The UK's National Cyber Security Centre published guidance on secure RF communications for operational technology. This advisory addresses visibility and control of industrial wireless environments — a gap that has persisted in many manufacturing, utilities, and transport estates.
06
Update: Anthropic Mythos and Project Glasswing
MEDIUM
[High] UK financial regulators are actively assessing offensive cyber risks tied to Anthropic's Mythos model capabilities, whilst Anthropic's Project Glasswing adds a formal disclosure programme for AI safety research.
07
Update: The Gentlemen Ransomware
HIGH
[High] The Gentlemen ransomware actor has added confirmed victims including UK Electronics and Italian firm Intra Holding, moving from generic watch status to demonstrated UK/EU manufacturing relevance.

Microsoft SharePoint — CVE-2026-32201 Active Exploitation

Microsoft SharePoint Zero-Day Under Active Exploitation

Confidence: High

Microsoft SharePoint is affected by CVE-2026-32201, a spoofing vulnerability that has entered active exploitation before patches were fully deployed. CISA added this flaw to the Known Exploited Vulnerabilities catalogue on 14 April 2026, confirming in-the-wild abuse. Microsoft released a patch in the April 2026 Patch Tuesday cycle, but the gap between exploitation confirmation and patch availability creates immediate exposure for unpatched estates.

The CVSS 6.5 score understates operational risk. SharePoint is common across UK and EU enterprise environments — government, financial services, and healthcare included — making this a high-impact surface. Attackers exploiting spoofing flaws in collaboration platforms typically target credentials, documents, and lateral movement paths into connected identity systems.

Treat this as a patch-now priority regardless of the CVSS rating. SharePoint servers with external exposure or hybrid Azure AD connectivity face the greatest risk. Organisations with deferred patching cycles for Microsoft products should accelerate validation and deployment for this specific flaw.

Basic-Fit — 1 Million Member Data Breach

Confidence: High

Basic-Fit disclosed a data breach affecting approximately 1 million members across its EU fitness club network. Exposed data includes names, dates of birth, and bank details — sufficient for identity fraud, phishing, and credential-reuse attacks. The breach creates downstream consumer risk extending well beyond the fitness sector into broader payment and identity ecosystems.

This is a significant EU retail sector incident with immediate implications for consumer protection teams. Phishing campaigns using fitness-club member data are likely within days. UK and EU consumers should watch for suspicious communications claiming to come from fitness, payment, or health services that reference recent memberships.

The breach reinforces that point-of-sale and membership systems remain attractive targets for bulk data theft. Consumer-facing businesses with large member databases should review their breach-response procedures against this incident.

Hallmark — Salesforce-Linked Breach After Extortion Failure

Confidence: High

Hallmark disclosed a customer data breach after extortion attempts failed, with reporting suggesting exposure of between 1.7 million and 8 million records. The incident originated through a Salesforce-linked configuration, reinforcing risks around SaaS admin credentials, token governance, and CRM platform security.

This breach illustrates cascading risk when customer-data platforms are compromised. The variance in record-count estimates reflects forensic uncertainty, but the lesson is clear: SaaS and CRM platforms holding large consumer datasets are high-value targets. When extortion fails, attackers often pivot to public disclosure or secondary monetisation through fraud networks.

Security teams should audit Salesforce and comparable CRM platform configurations for admin-path exposure, weak token lifecycles, and insufficient MFA coverage on management interfaces. This incident is also a useful reference for supplier-security conversations with marketing and customer-experience teams who may control these platforms without direct security oversight.

Zephyr Energy — £700,000 Payment Redirection Fraud

Confidence: High

Zephyr Energy, a UK-listed oil and gas company, disclosed a £700,000 loss after a contractor payment was redirected to an attacker-controlled bank account. This is a clean business email compromise (BEC) case study showing how payment-process controls fail in real UK environments. The company disclosed the incident via both regulatory market channels and trade-press reporting.

The attack succeeded despite standard payment workflows. The redirection suggests compromised supplier communications, fraudulent bank-detail change requests, or insider-path social engineering. Energy and infrastructure-adjacent organisations should review their payment-verification controls against this pattern.

Out-of-band payment verification — telephone confirmation of bank detail changes with known supplier contacts — remains the most effective control against this vector. The financial impact makes this a useful reference for security teams seeking to justify stronger supplier-onboarding and payment-change controls to procurement stakeholders.

NCSC Issues Secure RF Guidance for OT Environments

Confidence: High

The UK's National Cyber Security Centre published guidance on secure RF communications for operational technology. This advisory addresses visibility and control of industrial wireless environments — a gap that has persisted in many manufacturing, utilities, and transport estates. The guidance provides principles rather than prescriptive controls, allowing organisations to assess their current RF postures against documented risks.

Industrial wireless and RF protocols have historically received less security attention than wired OT networks. This guidance signals growing recognition that RF visibility is essential for industrial security programmes. Organisations with OT and wireless blind spots should use this advisory to open discovery conversations about their current radio-frequency exposure.

This is primarily a commercial and advisory signal rather than an incident-driven alert. Security providers with industrial clients should position RF/OT visibility assessments alongside existing network-segmentation and asset-discovery offerings.

Update: Anthropic Mythos and Project Glasswing

Confidence: High

UK financial regulators are actively assessing offensive cyber risks tied to Anthropic's Mythos model capabilities, whilst Anthropic's Project Glasswing adds a formal disclosure programme for AI safety research. What was a low-confidence regulatory watch item yesterday now has stronger vendor and policy context. This shift matters for AI assurance and red-teaming service positioning.

Update: The Gentlemen Ransomware

Confidence: High

The Gentlemen ransomware actor has added confirmed victims including UK Electronics and Italian firm Intra Holding, moving from generic watch status to demonstrated UK/EU manufacturing relevance. Security teams supporting manufacturing and industrial accounts should incorporate this actor into their threat-model briefings.

Why This Matters

Today's findings cluster around control-plane and trust-plane failures rather than traditional endpoint malware. SharePoint, SaaS/CRM platforms, payment workflows, and industrial RF visibility all represent governance and configuration risks that technical controls alone do not address. The Marimo notebook vulnerability yesterday showed developer-tooling exposure; today's stories extend that theme to enterprise collaboration, consumer platforms, and OT environments.

The SharePoint CVE-2026-32201 active exploitation creates immediate patching pressure. The Basic-Fit and Hallmark breaches demonstrate that consumer-data platforms remain prime targets with downstream fraud consequences. Zephyr Energy's payment redirection proves that BEC continues to inflict material financial losses even in regulated, listed-company environments. The NCSC RF guidance opens a practical conversation for industrial security gaps that have been under-addressed.

  • Recommended Actions
  • Patch SharePoint immediately: Validate CVE-2026-32201 patch deployment across all SharePoint estates; prioritise externally accessible or hybrid-connected servers
  • Audit collaboration platform exposure: Review SharePoint and similar platform configurations for spoofing and lateral-movement risk
  • Issue consumer fraud guidance: Brief teams and customers on phishing risk following Basic-Fit breach; watch for fitness-sector-themed lures
  • Review CRM/SaaS governance: Audit Salesforce and comparable platforms for admin-path security, token lifecycles, and MFA coverage
  • Verify payment controls: Use Zephyr Energy as a reference to justify out-of-band payment verification with suppliers
  • Assess OT RF visibility: Open industrial-client conversations using NCSC guidance on wireless and RF communications
  • Monitor The Gentlemen activity: Update manufacturing-sector threat models with confirmed victim geography

All findings grounded in A13E intelligence sweeps through 04:30 UTC 15 April 2026.

active-exploitationcisa-kevcve-2026-32201microsoftsharepoint

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed