SharePoint spoofing exploited in the wild (CVE-2026-32201) [PoC]

Actively exploited in the wild - CVE-2026-32201 is a medium spoofing vulnerability in Microsoft SharePoint Server (on-premises) that lets an unauthenticated attacker disguise malicious traffic as legitimate, potentially tricking users and bypassing network defenses. Apply the April 2026 security updates immediately.

Overview

A vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201, allows an unauthenticated attacker to perform spoofing attacks over a network. This flaw is notable because it is confirmed to be under active, widespread exploitation, as cataloged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability Details

The vulnerability stems from improper input validation within SharePoint. An attacker can exploit this by sending specially crafted network packets to a vulnerable SharePoint server. Crucially, the attack requires no user interaction and no prior authentication, making it easy to launch. The CVSS v3.1 base score is 6.5 (Medium), with the attack vector rated as Network and both attack complexity and privileges required rated as Low and None, respectively.

Impact

Successful exploitation allows an attacker to perform spoofing. In practice, this could enable them to disguise malicious network traffic as legitimate, potentially bypassing security controls, tricking users, or manipulating data flows within the SharePoint environment. While not a direct code execution flaw, spoofing can be a critical first step in a broader attack chain, leading to data theft, credential harvesting, or further network compromise.

Affected Products

This vulnerability affects on-premises Microsoft SharePoint Server versions. Microsoft 365 SharePoint Online is not affected. Administrators should review the official Microsoft Security Update Guide for April 2026 for specific version details.

Remediation and Mitigation

The primary remediation is to apply the security updates provided by Microsoft in its April 2026 Patch Tuesday release. Organizations should prioritize this update immediately due to confirmed active exploitation.

If immediate patching is not possible, consider the following mitigation strategies:

• Restrict network access to SharePoint servers, especially from untrusted networks like the internet, using firewall rules.
• Implement network segmentation to limit the potential lateral movement of an attacker who gains an initial foothold.
• Monitor network traffic for anomalous patterns or spoofing attempts.

Security Insight

The active exploitation of this SharePoint spoofing flaw highlights a trend where attackers increasingly target collaboration platforms as initial access vectors. Similar to how threat groups like APT28 have hijacked infrastructure to steal credentials, this vulnerability could be used to establish a deceptive foothold within an organization’s internal network, facilitating more severe follow-on attacks. It underscores the critical need to treat “Medium” severity vulnerabilities with high urgency when they appear on the KEV list.

Update - May 2026

CVE-2026-32201 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on 2026-05-07. The EPSS score has decreased marginally from 0.07937 to 0.0687, but remains in the 91st percentile - indicating broad attacker tooling integration despite a slight probability shift. Microsoft has not issued a standalone patch; instead, SharePoint Server Subscription Edition and SharePoint 2019 received cumulative security updates on 2026-05-05 that include a fix for this spoofing vector. Organizations still on unsupported builds should migrate immediately. No additional CVEs have been disclosed in the same family, though threat actors targeting SharePoint in April 2026 attacks show correlation with CVE-2026-32198 (privilege escalation) chained in observed intrusions. Active exploitation detections from industry partners show scanning for crafted POST requests to /_layouts/15/start.aspx with anomalous form payloads. Defenders should filter URI paths containing /start.aspx with unvalidated Source parameters, enforce Content Security Policy headers on all SharePoint pages, and validate patch status using Get-SPProduct -Local. Prioritize KEV-listed vulnerabilities for emergency remediation within 24 hours per BOD 25-01 guidance.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs