TT-CSIRT-454.17.04.26: Microsoft SharePoint Server Zero-Day Spoofing Vulnerability (CVE-2026-32201)
| Severity: Medium (Elevated due to active exploitation) Overview: A zero-day vulnerability in Microsoft SharePoint Server allows attackers to perform spoofing attacks due to improper input validation. The vulnerability is actively being exploited and can allow unauthorized access to SharePoint environments. Affected Systems: Microsoft SharePoint Server SharePoint Server 2016 SharePoint Server 2019 SharePoint Subscription Edition Description: A spoofing vulnerability, tracked as CVE-2026-32201, exists in Microsoft SharePoint Server due to improper validation of user-supplied input. This weakness allows attackers to craft malicious requests that bypass trust mechanisms and impersonate legitimate users or services. Successful exploitation does not require authentication and can be performed remotely. Attackers may leverage this vulnerability to gain unauthorized access to SharePoint resources, manipulate sensitive data, or facilitate further compromise within enterprise environments. Although the vulnerability has a CVSS score of 6.5 (Medium), its active exploitation in the wild significantly increases the associated risk. Recommendations: Immediate Update: Apply Microsoft security updates addressing CVE-2026-32201 immediately via the Microsoft Security Update Guide Access Restrictions: Limit external access to SharePoint services where possible Restrict exposure of internet-facing instances Monitoring and Detection: Monitor logs for suspicious authentication attempts and anomalous requests Investigate unusual access patterns or identity misuse Security Hardening: Implement Web Application Firewall (WAF) protections Enforce Multi-Factor Authentication (MFA) across all users Apply least privilege access controls Exploitation Details: The vulnerability is associated with CWE-20 Improper Input Validation, where insufficient validation of input allows attackers to manipulate request data. Attackers can exploit this flaw by crafting malicious network requests that bypass authentication and trust boundaries, enabling spoofing of legitimate users or services. This may be used as an entry point for further exploitation, including lateral movement within enterprise environments. References: Microsoft Security Update Guide https://msrc.microsoft.com/update-guide/ https://nvd.nist.gov/vuln/detail/CVE-2026-32201 https://foresiet.com/blog/sharepoint-server-spoofing-vulnerability-cve-2026-32201/ Contact Information: If you have any queries, comments or require assistance, please feel free to contact the TT-CSIRT via contacts@ttcsirt.gov.tt Additional Information: Organizations should prioritize patching due to active exploitation Review SharePoint exposure and ensure systems are not unnecessarily internet-facing Maintain regular patch management and vulnerability assessment processes |
