Actively Exploited SharePoint Zero-Day Prompts Urgent Patching

Executive Summary

As part of the April 2026 Patch Tuesday cycle, Microsoft has addressed a zero-day spoofing vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201. This vulnerability was actively exploited in the wild before a patch was available. The flaw enables an unauthenticated attacker to spoof their identity, allowing them to view protected information and modify content on a vulnerable SharePoint site. Due to its status as an actively exploited zero-day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patch by April 28, 2026.

Vulnerability Details

CVE-2026-32201 is a spoofing vulnerability that arises from improper input validation in Microsoft SharePoint Server. It has been assigned a CVSS score of 6.5, but its real-world impact is significantly higher due to its low attack complexity and lack of required user interaction.

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None

An unauthenticated attacker can send a specially crafted network request to a vulnerable SharePoint server. This request tricks the server into treating the attacker as a legitimate, authenticated user, granting them the privileges of the spoofed identity. This allows the attacker to bypass access controls.

Affected Systems

The vulnerability affects on-premises installations of Microsoft SharePoint Server. The specific versions are detailed in Microsoft's advisory for CVE-2026-32201. Cloud-based SharePoint Online is not affected. All organizations running internet-facing SharePoint servers are considered at high risk.

Exploitation Status

CVE-2026-32201 is confirmed to be actively exploited in the wild. Threat intelligence indicates that coordinated reconnaissance and exploitation attempts against internet-facing SharePoint servers began in the first half of April 2026, before the patch was released. The addition to the CISA KEV catalog further validates the widespread and active threat posed by this vulnerability.

Impact Assessment

Successful exploitation of CVE-2026-32201 has a direct impact on the confidentiality and integrity of data stored on the SharePoint server.

Confidentiality: Attackers can view sensitive files, lists, and other information that should be protected by access controls.
Integrity: Attackers can modify or replace content on the SharePoint site. This could be used to spread misinformation, embed malicious payloads, or disrupt business operations.
Further Attacks: A compromised SharePoint server can be used as a staging ground for further attacks into the internal network.

Given that SharePoint is often a central repository for corporate data, a vulnerability that allows an unauthenticated attacker to view and modify content is a critical risk that requires immediate attention.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

URL Pattern

Value

Unusual requests to SharePoint's /wsa.asmx or /wsb.asmx endpoints.

Description

These web services have been historically involved in SharePoint vulnerabilities. Monitor for anomalous requests.

Type

Log Source

Value

SharePoint ULS Logs & IIS Logs

Description

Look for requests with malformed headers or unexpected values, especially those resulting in successful access from unknown IPs.

Type

File Monitoring

Value

Unexpected modifications to files or list items by a user context that doesn't align with the source IP address.

Description

This could indicate a successful spoofing attack.

Detection Methods

Vulnerability Scanning: Use a vulnerability scanner with updated plugins to identify unpatched SharePoint servers in your environment.
Log Analysis: Ingest and analyze SharePoint ULS logs and IIS web server logs. Look for access patterns that are inconsistent with normal user behavior, such as an external IP address suddenly performing actions as if it were an internal user without a corresponding login event. D3FEND's D3-WSAA - Web Session Activity Analysis is a relevant defensive technique.
Threat Intelligence: Correlate logs against known IOCs (IP addresses, user agents) associated with the exploitation of this CVE as they become public.

Remediation Steps

Patch Immediately: The primary remediation is to apply the security updates for CVE-2026-32201 provided by Microsoft as part of the April 2026 security update. This is a critical action aligned with M1051 - Update Software.
Prioritize Internet-Facing Servers: All internet-facing SharePoint servers should be patched immediately, without exception.
Review Access Logs: After patching, review access logs for the period before the patch was applied to look for signs of compromise.
Restrict Access: As a temporary mitigation if patching is delayed, restrict access to the SharePoint server to only trusted IP addresses. However, this is not a substitute for patching.

As a compensating control and defense-in-depth measure, organizations should implement strict inbound traffic filtering for their SharePoint servers. If the server does not need to be accessible to the entire internet, restrict access at the network perimeter (firewall or WAF) to only known, trusted IP ranges of employees, partners, or customers. For publicly accessible portals, a Web Application Firewall (WAF) should be deployed in front of SharePoint. A WAF can be configured with rules to inspect incoming requests for anomalies and block malicious payloads, potentially providing a layer of 'virtual patching' against exploitation attempts of CVE-2026-32201 before the official patch can be applied. This reduces the attack surface and limits the pool of potential attackers.

Microsoft SharePoint Server Spoofing Flaw (CVE-2026-32201) Under Active Exploitation