01
SharePoint Server zero-day patched and actively exploited
Microsoft’s April 2026 Patch Tuesday addressed a SharePoint Server spoofing zero-day (CVE-2026-32201) reported as actively exploited. The issue allows unauthenticated attackers to present falsified information to users of affected SharePoint instances.
- Treat SharePoint patching as part of Copilot readiness because Copilot outputs can inherit or amplify content integrity issues from compromised SharePoint data.
- Prioritize remediation in hybrid deployments where on-prem SharePoint content feeds cloud search and Copilot experiences, because the on-prem tier often lags standard cloud controls.
- Ask security teams to validate not only patch level but also content provenance controls (e.g., who can publish, approve, and modify pages) to reduce the business impact of spoofed SharePoint content.
02
LMDeploy SSRF exploited within hours of disclosure
A high-severity SSRF vulnerability in LMDeploy (CVE-2026-33626) was disclosed and reportedly exploited in under 13 hours. The issue affected LMDeploy versions through 0.12.0 with vision-language support and had no official patch at the time described.
- Reassess plans to self-host LLM serving stacks as an alternative to managed Microsoft services, because rapid weaponization increases the operational cost of secure deployment.
- Enforce egress controls and network segmentation for any AI inference endpoints connected to Azure or Microsoft 365, because SSRF commonly enables lateral movement to internal services and metadata endpoints.
- Extend vulnerability management and incident-response playbooks to OSS AI components used alongside Microsoft platforms, because these components can become the weakest link in an otherwise well-governed Microsoft stack.
03
Bitwarden CLI supply-chain hijack via npm pipeline
The Bitwarden CLI was briefly hijacked on April 22 via a supply-chain compromise involving an npm distribution pipeline. Attackers pushed a malicious version before the incident was detected and addressed.
- Audit developer workstations and CI runners used for Copilot extensions, Azure AI projects, or M365 automation, because compromised tooling can leak credentials that control tenant access.
- Implement package allow-lists, lockfiles, and artifact integrity verification for npm-based toolchains used in Microsoft-focused development, because npm remains a common ingress path for supply-chain attacks.
- Reduce reliance on stored secrets by enforcing phishing-resistant MFA and short-lived credentials for Entra ID and Azure, because credential theft remains the fastest route to tenant compromise.