Customer Advisory | CA-A-26-007: Active Exploitation of Microsoft SharePoint Server Zero-Day CVE-2026-32201

Microsoft, SharePoint, Zero-Day, Spoofing, CVE-2026-32201, CISA KEV, Active Exploitation

Source Material: CISA, NVD | Technology: Microsoft SharePoint | Targeted Industries: All

Executive Summary

During its April 2026 Patch Tuesday release, Microsoft disclosed an actively exploited zero-day vulnerability (CVE-2026-32201) affecting Microsoft SharePoint Server. Stemming from improper input validation, this flaw allows unauthenticated remote attackers to perform server spoofing over a network. While carrying a CVSS score of 6.5 (Medium), the vulnerability requires no user interaction and features low attack complexity. Threat actors are actively exploiting this internet-facing flaw in the wild to bypass trust boundaries, view sensitive data, and manipulate disclosed information. Consequently, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog.

Threat Overview and Strategic Impact 

Tracked as CVE-2026-32201 (CVSS: 6.5), this flaw exploits improper input validation in SharePoint to allow attackers to spoof trusted content and interfaces without requiring authentication. While the vulnerability primarily impacts confidentiality and integrity, its abuse serves as a critical enabler for more advanced intrusion campaigns.

By successfully manipulating the way information is presented within trusted internal SharePoint environments, adversaries can:

• Deceive employees and partners with falsified information.
• Deploy weaponized documents or replace legitimate files with malicious variants.
• Launch highly convincing internal phishing and social engineering campaigns.

Although Microsoft has reported this as an active “in-the-wild” exploit, the specific threat actors behind current campaigns remain unknown. Because SharePoint frequently acts as a central repository for sensitive corporate data, the ability to exploit this system seamlessly over a network poses a significant risk for data theft, secondary payload deployment, and lateral movement.

Security Hardening and Recommendations

Deepwatch recommends organizations take the following immediate actions:

Apply Specific Microsoft Patches Immediately: Administrators must urgently deploy the April 2026 Patch Tuesday updates to all internet-facing and internal Microsoft SharePoint Server instances. Ensure the correct Knowledge Base (KB) update is applied for your specific deployment:

• Microsoft SharePoint Server Subscription Edition: Install Update KB5002853
• Microsoft SharePoint Server 2019: Install Update KB5002854
• Microsoft SharePoint Enterprise Server 2016: Install Update KB5002861

Workflow Manager Configuration Check: Note: If your environment currently runs the Classic version of SharePoint Workflow Manager, Microsoft requires administrators to manually enable a debug flag via PowerShell ($farm.ServerDebugFlags.Add(53601)) prior to or immediately after patching to ensure continued functionality.

Adhere to CISA Guidelines: Federal Civilian Executive Branch (FCEB) agencies, and private sector counterparts adopting best practices, must comply with CISA BOD 22-01 and deploy these required vendor mitigations no later than April 28, 2026.

Monitor SharePoint Activity: Given the ongoing exploitation in the wild, continuously review SharePoint access and event logs for anomalous behavior. Security teams should specifically hunt for unauthorized file modifications, sudden permission changes, or unexpected document replacements that could indicate successful spoofing or data manipulation.

Detection Strategy

To effectively detect exploitation attempts and post-exploitation activity related to CVE-2026-32201, security teams should focus on identifying anomalous network requests, spoofed sessions, and post-compromise behaviors within their SharePoint environments.

Key Log Sources & Telemetry:

• Internet Information Services (IIS) Logs: Monitor for anomalous HTTP requests, particularly unauthenticated POST requests targeting unusual endpoints, displaying forged Referer headers, or attempting to bypass authentication controls.
• SharePoint Unified Logging Service (ULS): Review ULS logs for errors related to improper input validation, spoofed session states, or unauthorized access/data manipulation attempts.
• Antimalware Scan Interface (AMSI): Ensure AMSI is enabled in “Full Mode” for SharePoint Server. AMSI acts as a critical real-time inspection layer capable of analyzing incoming web requests and capturing malicious payloads before they reach the authentication and authorization phases.
• Endpoint Detection and Response (EDR): Actively monitor the IIS worker process (w3wp.exe) for anomalous child processes or unauthorized file modifications.

How Deepwatch Protects Our Customers

Deepwatch Adversary Tactics and Intelligence (ATI) and Detection Engineering teams are actively reviewing this threat to evaluate relevant hunting and detection opportunities within customer environments. ATI is also monitoring for IoCs and PoCs to further enhance our detection capabilities.

Threat Hunting Leads

While there are currently no verified Proof of Concept (PoC) exploits publicly available for CVE-2026-32201, because this is a server spoofing vulnerability stemming from improper input validation that requires no authentication, hunting efforts should focus on identifying anomalies in your internet-facing SharePoint infrastructure and internal user behavior.

• Web Traffic and WAF Anomalies (Initial Access)
  • Anomalous HTTP Requests: Review IIS (Internet Information Services) and Web Application Firewall (WAF) logs for unusual, unauthenticated HTTP requests targeting SharePoint web front-ends. Look for requests containing heavily obfuscated URLs, unexpected character sets, or exceptionally long parameters that might indicate input validation bypassing or fuzzing attempts.
  • Spikes in Error Codes: Hunt for sudden increases in HTTP 400 (Bad Request) or HTTP 500 (Internal Server Error) responses originating from your SharePoint servers. This often indicates failed exploitation attempts or threat actors actively probing the input validation mechanism.
• SharePoint Content and Configuration Modifications (Impact/Spoofing)
  • Unauthorized Page Edits: Monitor SharePoint audit logs for unexpected modifications to highly visible internal pages, company announcements, or trusted portals, especially if these changes occur outside of standard business hours or without an associated IT change ticket.
  • Suspicious Document Replacements: Hunt for instances where highly accessed, legitimate documents are suddenly replaced or updated. Attackers may swap trusted files with weaponized variants (e.g., macro-enabled Office documents) or lookalike files designed to harvest credentials.
  • Permission Anomalies: Look for sudden changes to site permissions, particularly the unauthorized granting of “read” or “edit” access to anonymous or broad user groups on sensitive document libraries.
• Secondary Post-Exploitation Activity (Internal Phishing)
  • Internal Phishing Referrals: Coordinate with your email security or SOC teams to identify any recent internal phishing reports. Specifically, look for phishing links that direct users back to your own internal, trusted SharePoint URLs, as this indicates the spoofing vulnerability is being used to add legitimacy to a social engineering campaign.
  • Unusual Download Volumes: Monitor for users downloading an unusually high volume of files from spoofed or recently modified SharePoint locations, which could indicate a successful social engineering lure tricking users into downloading malicious payloads.

Technical Artifacts 

Currently, there are no public Indicators of Compromise (IoCs) or verified Proof of Concept (PoC) exploit codes directly associated with this activity.

Threat Object Mapping

Intrusion Set:

•  This activity is not attributed to a specific intrusion set at this time.

Attack Pattern (MITRE ATT&CK):

Tactic	Technique ID	Technique Name	Mapped Advisory TTP
Initial Access	T1190	Exploit Public-Facing Application	CVE-2026-32201 Zero-Day Exploitation
Initial Access	T1566	Phishing	Social Engineering / Deceptive Content
Lateral Movement	T1534	Internal Spearphishing	Phishing (Internal)
Execution	T1204	User Execution	Social Engineering (Tricking users into interacting with spoofed content/malicious links)
Impact	T1491.002	Defacement: Internal Defacement	Spoofing (Manipulating trusted information within internal environments)

Vulnerability:

• CVE-2026-32201

Malware/Tool:

• There are currently no specific malware, tools, or verified PoCs for this CVE.

Additional Sources

• Microsoft Fixes Two Zero-Days in April Patch Tuesday – Infosecurity Magazine
• Microsoft Issues Patches for SharePoint Zero-Day and 168 Other Vulnerabilities
• Patch Tuesday, April 2026 Edition – Krebs on Security

↑