CVE-2026-32201
Microsoft SharePoint Server Spoofing Vulnerability
Description
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
In plain language
AI Act nowCVE-2026-32201 is a Microsoft SharePoint Server flaw that lets attackers spoof trusted SharePoint content or interfaces over the network without logins; if you run affected SharePoint versions, you should act immediately because it’s already being exploited in the real world.
CVE-2026-32201 is an exploited-in-the-wild spoofing vulnerability (CWE-20) in Microsoft SharePoint Server 2016/2019/Subscription Edition that attackers trigger remotely without authentication to spoof trusted content/interfaces, and (in reported activity) proceed to bypass authentication and reach remote code execution and post-exploitation steps.
What to do now
- Check whether you run Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition (or SharePoint Server) on Windows Server 2019, and confirm your installed build/version.
- Compare your SharePoint build to the fixed builds and verify whether you’re already on them: 16.0.5548.1003 (2016) or 16.0.10417.20114 (2019) or 16.0.19725.20210 (Subscription/SharePoint Server).
- Upgrade/apply the Microsoft security update for CVE-2026-32201 from the official Microsoft Update Guide, prioritizing the fixed build(s) for your specific SharePoint version.
- If you can’t patch right away, immediately follow Microsoft/CISA mitigation guidance for temporary protective controls, and consider disabling external access to the SharePoint server until patched.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:LConfidentialityI:LIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilitiesen-us·SecurityWeek· Summary only·
- Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesdayen·The Hacker News·
- AI-driven bug hunting fuels record Microsoft Patch Tuesdayen-us·Help Net Security·
- CISA warns admins to patch actively exploited SharePoint flawsen-us·BleepingComputer·
- Майский «В тренде VM»: громкие уязвимости в Linux, ActiveMQ, SharePoint и Acrobat Readerru·Positive Technologies (Хабр)· Summary only·
- Patch Tuesday, April 2026 Editionen-us·Krebs on Security· Source-only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-32201 and every CVE in our database. Create a free account — no credit card required.
Create Free Account