# CVE-2026-32201

> An improper authentication vulnerability in Microsoft SharePoint Server allows an unauthenticated remote attacker to craft a forged request that impersonates an authenticated user, enabling session hijack, unauthorized data access, and subsequent upload of malicious content. This zero-day vulnerability was confirmed as actively exploited in the wild prior to the April 2026 Patch Tuesday release, with exploitation activity concentrated against government, legal, and manufacturing verticals in North America and Europe. Observed post-exploitation behavior includes web-shell deployment (spinstall.

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 8.9%
- **CISA KEV:** yes
- **CWE:** CWE-287

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-32201
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp