CVE-2026-32201 is a critical-grade spoofing vulnerability in Microsoft Office SharePoint stemming from improper input validation, classified under CWE-20.
The flaw allows an unauthorized, unauthenticated attacker to perform network-based spoofing attacks without requiring any user interaction or elevated privileges, making it especially dangerous in enterprise environments.
Assigned a CVSS:3.1 base score of 6.5 (temporal score 6.0) by Microsoft, the vulnerability carries a severity rating of Important, yet its zero-day exploitation status significantly elevates real-world risk.
The vulnerability was assigned by Microsoft’s Security Response Center (MSRC) and published on April 14, 2026, coinciding with the release of corrective security patches.
Unlike many post-exploitation vulnerabilities, CVE-2026-32201 was confirmed as “Exploitation Detected” at the time of disclosure, meaning attackers had already weaponized it before enterprises had any opportunity to defend themselves.
How Attackers Exploit This Flaw
According to CrowdStrike’s April 2026 Patch Tuesday analysis, CVE-2026-32201 allows unauthenticated remote attackers to exploit SharePoint’s improper input validation mechanism to perform spoofing all with low attack complexity and zero user interaction required.
The attack vector is entirely network-based, meaning threat actors can launch exploits remotely across the internet without needing physical or local access to targeted systems.
Check Point Research has further characterized the vulnerability as an authentication bypass, noting that attackers can bypass SharePoint’s authentication layer to carry out spoofing.
Mike Walters, President and Co-Founder of Action1, told KrebsOnSecurity that CVE-2026-32201 can be weaponized to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. This technique makes phishing and social engineering far more credible and difficult to detect.
Successful exploitation allows threat actors to:
- View sensitive information stored or shared within SharePoint environments (Confidentiality: Low impact)
- Modify or tamper with disclosed data to spread misinformation or manipulate workflows (Integrity: Low impact)
- Impersonate trusted identities within SharePoint, enabling downstream attacks against users who trust platform content
Notably, the vulnerability does not impact system availability (A: N). Still, the combination of unauthorized data access and integrity manipulation makes it a potent tool for targeted espionage and credential-harvesting campaigns.
Part of Microsoft’s Largest April Patch Tuesday
CVE-2026-32201 was patched as part of Microsoft’s April 2026 Patch Tuesday, which addressed a staggering 165 newly disclosed vulnerabilities, one of the largest single-month patch releases in recent history.
Of those, eight were classified as Critical, primarily covering Remote Code Execution (RCE) and Denial-of-Service (DoS) flaws. CVE-2026-32201 stood out as the only confirmed zero-day in the batch, immediately flagging it as a top remediation priority for security teams worldwide.
A companion vulnerability, CVE-2026-20945, was also patched in the same update cycle, another SharePoint Server spoofing vulnerability with a lower CVSS score of 4.6. Both flaws affect overlapping SharePoint versions, suggesting a broader weakness in the platform’s input validation architecture that Microsoft is actively addressing.
Affected Products and Security Updates
Microsoft has released mandatory security updates for all three affected SharePoint versions. Customer action is required for all impacted deployments:
| Product | Build Number | KB Article |
|---|---|---|
| SharePoint Server Subscription Edition | 16.0.19725.20210 | KB5002853 |
| SharePoint Server 2019 | 16.0.10417.20114 | KB5002854 |
| SharePoint Enterprise Server 2016 | 16.0.5548.1003 | KB5002861 |
It is critical to note that these vulnerabilities affect on-premises SharePoint servers only and do not impact SharePoint Online or Microsoft 365 cloud-hosted environments. Organizations relying solely on Microsoft 365 are not at risk, but any enterprise maintaining on-premises SharePoint infrastructure must treat this patch as an emergency update.
Mitigation and Recommended Actions
Security researchers recommend that organizations apply the available patches immediately, given the confirmed exploitation status. The following mitigation steps should be prioritized:
- Apply the relevant KB security update for your SharePoint Server version without delay
- Audit SharePoint access logs for unusual network activity, unauthorized data access patterns, or spoofed identity behavior
- Deploy IPS protections Microsoft advisory recommends enabling the CVE-2026-32201 protection rule on all Security Gateways.
- Restrict network exposure of SharePoint servers by placing them behind firewalls and limiting internet-facing access
- Review user permissions to minimize the blast radius in the event of a successful spoofing attack.
- Monitor dark web and threat intelligence feeds for indicators of compromise (IOCs) tied to this CVE.
Organizations that cannot patch immediately should consider temporarily restricting external network access to SharePoint portals and increasing monitoring thresholds on authentication events.
Historical Context: SharePoint Under Siege
This is not the first time sophisticated threat actors have targeted SharePoint. U.S. cybersecurity agencies tracked widespread exploitation campaigns leveraging the ToolShell exploit chain against on-premises SharePoint servers, targeting CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.
CISA added multiple SharePoint CVEs to its Known Exploited Vulnerabilities (KEV) catalog in July 2025, signaling a sustained and deliberate focus by threat actors on enterprise SharePoint infrastructure. CVE-2026-32201 continues this alarming trend of the premises SharePoint treating servers as high.
Frequently Asked Questions (FAQs)
Q1: Does CVE-2026-32201 affect SharePoint Online or Microsoft 365?
No, this vulnerability only affects on-premises SharePoint Server (2016, 2019, Subscription Edition) and does not impact cloud-hosted SharePoint Online or Microsoft 365 environments.
Q2: Is authentication required to exploit CVE-2026-32201?
No, CVE-2026-32201 requires no authentication, no user interaction, and no elevated privileges, making it exploitable by any remote, unauthenticated attacker.
Q3: What is the CVSS score of CVE-2026-32201, and what does it mean?
CVE-2026-32201 carries a CVSS:3.1 base score of 6.5 (temporal 6.0), rated Important, reflecting moderate confidentiality and integrity risk with no availability impact, but real-world severity is heightened by active zero-day exploitation.
Q4: Where can administrators download the security update for CVE-2026-32201?
Microsoft has published security updates for SharePoint Server 2016 (KB5002861), 2019 (KB5002854), and Subscription Edition (KB5002853), all available through the Microsoft Download Center and Windows Update.
Site: http://thecybrdef.com
About the Author
