CVE-2026-32201: SharePoint Zero-Day Spoofing

The headline vulnerability in Microsoft's April 2026 Patch Tuesday — an unauthenticated spoofing flaw in SharePoint Server that was being actively exploited before a patch existed, now added to the CISA KEV catalog.

Overview

Microsoft's April 2026 Patch Tuesday — the largest single update cycle on record, addressing 167 CVEs — included one actively exploited zero-day: CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server. Unlike the critical RCE flaws also patched this cycle, this vulnerability's CVSS score of 6.5 understates its real-world significance — confirmed in-the-wild exploitation before any fix was available is a different threat tier regardless of score.

CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities catalog on 14 April 2026, requiring Federal Civilian Executive Branch agencies to apply the patch by 28 April 2026.

Context: SharePoint as a Target

SharePoint Server remains one of the most attractive targets in enterprise environments. It holds sensitive documents, project data, HR records, and internal communications — often accessible from the internet on corporate intranets. It runs in-process under domain service accounts with broad read access to Active Directory, and in many environments it is trusted by downstream systems. A spoofing vulnerability that allows an attacker to impersonate another user or forge network interactions against SharePoint can unlock significant data access without touching RCE.

This is the second notable SharePoint vulnerability this blog has covered — the first being CVE-2025-53770 "ToolShell", a CVSS 9.8 unauthenticated RCE from mid-2025. The persistence of high-impact SharePoint vulnerabilities reflects both the complexity of the product and the intensity with which threat actors target it.

Technical Details

CVE-2026-32201 is rooted in improper input validation (CWE-20) within the SharePoint Server request handling layer. The flaw allows an unauthenticated attacker to craft network requests that are processed as if they originated from a trusted or authenticated source — enabling the attacker to spoof connections and trigger server-side actions on behalf of another principal.

The attack requires no privileges and no user interaction. It is exploitable over the network with low attack complexity — meaning it is accessible to a broad attacker population, not just those with specialised exploitation capability.

Microsoft's advisory notes that a successful exploit can lead to both unauthorised reading of sensitive information (confidentiality impact) and modification of that information (integrity impact), without denying legitimate users access (no availability impact). In an enterprise SharePoint deployment, the confidentiality impact alone — access to documents, site collections, or user profile data — can be sufficient to meet the objective of an intelligence-gathering operation.

Why CVSS 6.5 Misrepresents the Risk

The CVSS score reflects the vulnerability's technical impact in isolation. It does not capture the operational context: SharePoint stores high-value data, it is widely deployed, and in-the-wild exploitation was confirmed before a patch existed. The real risk to most organisations is considerably higher than the score implies — particularly for environments where SharePoint is federated with other Microsoft 365 or on-premises services, where information accessed via spoofing could be leveraged for further lateral movement.

Affected Versions

Microsoft SharePoint Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition

SharePoint Online (Microsoft 365) was not affected — the vulnerability is specific to on-premises deployments.

Remediation

Apply the April 2026 Cumulative Update for your SharePoint version immediately. This is the definitive fix and contains the input validation correction.
If patching cannot be completed immediately, restrict external network access to SharePoint — particularly from untrusted network segments. The attack is network-based and requiring the attacker to be on the internal network significantly raises the bar.
Review SharePoint Unified Audit Logs for unexpected access patterns: unusual accounts accessing site collections, document libraries accessed from unexpected source IPs, or API calls to SharePoint endpoints from non-standard clients.
Ensure SharePoint service accounts follow the principle of least privilege — overly permissive service accounts amplify the impact of any spoofing or impersonation attack.

Detection Guidance

Key indicators to hunt for in SharePoint and network logs:

Requests to SharePoint endpoints from external IP addresses that contain anomalous or malformed headers that do not match standard client patterns.
Access to sensitive document libraries or site collections from accounts that have not previously accessed them — particularly if accessed outside business hours or from unusual geolocations.
SharePoint Unified Audit Log entries showing operations attributed to one user but originating from IP addresses associated with a different user's sessions.
IIS access logs showing requests to SharePoint API endpoints (/_api/, /_vti_bin/) that return 200 responses without corresponding authentication events in the security event log.

April 2026 Patch Tuesday: Broader Context

CVE-2026-32201 was one of two zero-days addressed this cycle. The patch set also included eight Critical-rated vulnerabilities, notably:

CVE-2026-33827 — Windows TCP/IP stack RCE, exploitable at the network level with no user interaction in some configurations.
CVE-2026-33826 — Windows Active Directory RCE via improper input validation, relevant to any domain-joined environment.
CVE-2026-32157 — Remote Desktop Client RCE, exploitable if a user connects to a malicious RDP server.
CVE-2026-33115 / CVE-2026-33114 — Microsoft Word RCE via malicious documents, relevant to phishing chains.

Organisations should prioritise the full April 2026 Cumulative Update rather than applying individual hotfixes — the breadth of this month's Critical-rated RCE fixes makes comprehensive patching the only sound approach.

Takeaways

CVE-2026-32201 reinforces a pattern that has been consistent across Microsoft's on-premises collaboration products: input validation failures at the request processing layer enable a class of low-complexity, unauthenticated attacks that are reliably exploited by well-resourced threat actors before patches are available. On-premises SharePoint deployments deserve the same scrutiny in attack surface management reviews as externally-facing web applications — they are high-value, complex, and persistently targeted.

For red teams: any internal engagement involving on-premises SharePoint should include a check for unpatched April 2026 CU status. Pre-patch exploitation activity means tooling is likely already circulating.