SharePoint spoofing exploited in the wild (CVE-2026-32201)

Overview

A vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201, allows an unauthenticated attacker to perform spoofing attacks over a network. This flaw is notable because it is confirmed to be under active, widespread exploitation, as cataloged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability Details

The vulnerability stems from improper input validation within SharePoint. An attacker can exploit this by sending specially crafted network packets to a vulnerable SharePoint server. Crucially, the attack requires no user interaction and no prior authentication, making it easy to launch. The CVSS v3.1 base score is 6.5 (Medium), with the attack vector rated as Network and both attack complexity and privileges required rated as Low and None, respectively.

Impact

Successful exploitation allows an attacker to perform spoofing. In practice, this could enable them to disguise malicious network traffic as legitimate, potentially bypassing security controls, tricking users, or manipulating data flows within the SharePoint environment. While not a direct code execution flaw, spoofing can be a critical first step in a broader attack chain, leading to data theft, credential harvesting, or further network compromise.

Affected Products

This vulnerability affects on-premises Microsoft SharePoint Server versions. Microsoft 365 SharePoint Online is not affected. Administrators should review the official Microsoft Security Update Guide for April 2026 for specific version details.

Remediation and Mitigation

The primary remediation is to apply the security updates provided by Microsoft in its April 2026 Patch Tuesday release. Organizations should prioritize this update immediately due to confirmed active exploitation.

If immediate patching is not possible, consider the following mitigation strategies:

• Restrict network access to SharePoint servers, especially from untrusted networks like the internet, using firewall rules.
• Implement network segmentation to limit the potential lateral movement of an attacker who gains an initial foothold.
• Monitor network traffic for anomalous patterns or spoofing attempts.

Security Insight

The active exploitation of this SharePoint spoofing flaw highlights a trend where attackers increasingly target collaboration platforms as initial access vectors. Similar to how threat groups like APT28 have hijacked infrastructure to steal credentials, this vulnerability could be used to establish a deceptive foothold within an organization’s internal network, facilitating more severe follow-on attacks. It underscores the critical need to treat “Medium” severity vulnerabilities with high urgency when they appear on the KEV list.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs