CVE-2026-32201: Actively Exploited SharePoint Server Spoofing Vulnerability

CVE-2026-32201: Actively Exploited SharePoint Server Spoofing Vulnerability

CVE-2026-32201 is an actively exploited spoofing vulnerability in Microsoft SharePoint Server, stemming from improper input validation. This flaw allows an unauthorized remote attacker to spoof trusted content and resources over the network, with exploitation observed in the wild as a zero-day prior to the April 2026 Patch Tuesday release. The vulnerability has a CVSS 3.1 base score of 6.5 (Medium severity) with a network attack vector, low complexity, and requires no privileges or user interaction for successful exploitation. This issue has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgency of remediation.

Technical Analysis of the Vulnerability

The core of CVE-2026-32201 lies within SharePoint's input handling layer, specifically in how it processes and validates parameters in HTTP requests used for rendering pages, lists, and documents. Insufficient sanitization and validation of these parameters enable an attacker to supply malformed data. This malformed input bypasses authenticity checks, allowing the construction of spoofed responses that appear to originate from legitimate SharePoint components. Such spoofing can facilitate phishing by presenting fake login forms or modified documents that look authentic within the SharePoint domain.

While specific details regarding the exact parameter manipulation are often withheld to prevent further exploitation, the nature of a spoofing vulnerability suggests an attacker can craft URLs or request headers to mislead a user or a system component. Previous SharePoint spoofing vulnerabilities, such as CVE-2025-49706, have leveraged manipulation of HTTP Referer headers to the /_layouts/15/ToolPane.aspx endpoint to bypass authentication. Although CVE-2026-32201 is distinct, the underlying principle of manipulating trust through malformed requests remains consistent.

The vulnerability's classification as "Improper Input Validation" (CWE-20) highlights a fundamental security hygiene issue where an application trusts user-supplied data without adequate scrutiny. This allows an attacker to inject data that the application then processes in an unintended way, leading to the spoofing effect.

Exploitation Vectors and Observed Campaigns

Active exploitation of CVE-2026-32201 began prior to the official April 2026 patches. Observed campaigns have targeted organizations with externally exposed SharePoint instances or those accessible via VPN. Attackers typically employ automated probes to identify vulnerable SharePoint servers. Following identification, specially crafted requests are used to spoof high-value resources, such as financial reports, internal directories, or credential prompts.

The primary impact of successful spoofing involves limited confidentiality and integrity violations, allowing attackers to view sensitive metadata or alter displayed content without full write access to the backend database. Exploitation often integrates with social engineering tactics, directing authenticated users to malicious, spoofed links via email or internal messaging. Tools such as Postigo are crucial for organizations to defend against advanced phishing attacks that leverage URL spoofing and credential theft by providing robust email security and SMTP monitoring.

While no public exploit code has been released, the observed activity has been stealthy, focusing on data exfiltration through displayed content rather than destructive actions. Threat intelligence firms have tracked coordinated reconnaissance campaigns specifically targeting SharePoint, with activity observed across multiple IP addresses and hosting providers.

Affected Versions

The spoofing vulnerability, CVE-2026-32201, impacts several on-premises deployments of SharePoint Server.

SharePoint Server Product Vulnerable Versions (Prior to April 2026 Patch)
SharePoint Server 2016 All supported versions
SharePoint Server 2019 All supported versions
SharePoint Server Subscription Edition All supported versions

It is important to note that this vulnerability affects on-premises SharePoint servers and does not extend to SharePoint Online in Microsoft 365.

Mitigation and Remediation

Microsoft released security updates on April 14, 2026, to address CVE-2026-32201, alongside other vulnerabilities. Urgent patching is the primary defense. Organizations running affected versions of SharePoint Server must apply these updates immediately.

The specific knowledge base (KB) articles for the updates are:

  • KB5002853 for SharePoint Server Subscription Edition
  • KB5002854 for SharePoint Server 2019
  • (Corresponding KB for SharePoint Server 2016 would also be available)

Beyond immediate patching, several hardening measures are critical for SharePoint Server environments:

  1. Strict Input Validation and Sanitization: While the patch addresses the specific flaw, reinforcing input validation at the application and web server level can provide defense in depth against similar future vulnerabilities. Implementing Web Application Firewalls (WAFs) can assist in filtering malicious inputs before they reach the SharePoint application.
  2. Network Segmentation: Isolate SharePoint servers from other critical internal networks. Restrict direct internet access where possible, using reverse proxies or strict firewall rules.
  3. Enhanced Monitoring and Logging: Implement comprehensive logging for SharePoint activities, IIS logs, and network traffic. Look for unusual request patterns, unexpected parameter values, or redirects. Integrations with Security Information and Event Management (SIEM) systems are crucial for detecting anomalies. 
    
# Example PowerShell for enabling verbose SharePoint diagnostic logging
Set-SPLogLevel -TraceSeverity Medium -EventSeverity High -Category "SharePoint Foundation"
Set-SPLogLevel -TraceSeverity Verbose -EventSeverity High -Category "Web Content Management"
  4. Strong Authentication: Enforce multi-factor authentication (MFA) for all SharePoint access, especially for administrative accounts. Disable older, less secure authentication methods. Organizations should ensure that modern authentication protocols are used and older protocols are turned off to prevent attackers from bypassing MFA.
  5. Regular Vulnerability Scanning: Continuously scan SharePoint deployments for known vulnerabilities and misconfigurations. Tools like Secably can perform vulnerability scanning and web security testing to identify potential weaknesses, including URL redirection issues or client-side vulnerabilities.
  6. Attack Surface Management: Regularly assess the external attack surface of your organization to identify exposed SharePoint instances. Services like Zondex can assist in discovering internet-wide exposed services and conducting reconnaissance, which is vital for understanding what an attacker sees.
  7. Principle of Least Privilege: Configure SharePoint permissions deliberately, assigning users access only to the sites and content strictly required for their role. Avoid broad "Everyone" permissions.
  8. Antimalware Integration: Ensure Antimalware Scan Interface (AMSI) integration is enabled in SharePoint and deploy robust antivirus solutions on all SharePoint servers. This helps prevent malicious scripts from executing.

Administrators are also advised to consider strict URL rewrite rules as a temporary workaround if immediate patching is not feasible. Regularly reviewing and tightening tenant-level and site-level sharing settings and controlling access from unmanaged devices are also critical for overall SharePoint security.