CVE-2026-32201
CISA KEVAn improper authentication vulnerability in Microsoft SharePoint Server allows an unauthenticated remote attacker to craft a forged request that impersonates an authenticated user, enabling session hijack, unauthorized data access, and subsequent upload of malicious content. This zero-day vulnerability was confirmed as actively exploited in the wild prior to the April 2026 Patch Tuesday release, with exploitation activity concentrated against government, legal, and manufacturing verticals in North America and Europe. Observed post-exploitation behavior includes web-shell deployment (spinstall.aspx variants), credential harvesting from the SharePoint hive, and pivoting to the SQL backend via integrated Windows authentication. Threat actors have been observed chaining this spoofing vulnerability with CVE-2026-33827 (SharePoint Server RCE via deserialization in workflow engine) for full remote code execution.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-287