Vulnerability Analysis

CVE-2026-32201: Microsoft SharePoint Zero-Day Actively Exploited — What It Is & How to Fix It

Executive Summary

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server caused by improper input validation of HTTP request parameters. It was exploited as a zero-day in targeted attacks against organizations before Microsoft patched it on April 14, 2026 (Patch Tuesday). CISA has added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of April 28, 2026 — all organizations running on-premises SharePoint should treat this as an emergency patch.

1. What Is This Vulnerability?

At its core, CVE-2026-32201 is an improper input validation flaw (CWE-20) in the request-handling layer of Microsoft SharePoint Server. SharePoint's list views, document metadata rendering, and resource-identifier endpoints accept user-supplied parameters — things like column filters, view IDs, or redirect targets — and in vulnerable versions these parameters are not sufficiently sanitized before being used in server-generated output or internal resource lookups.

An attacker can craft an HTTP request containing malformed or manipulated query strings, headers, or form fields. Because SharePoint trusts and reflects this input without proper validation, the attacker can make the server present spoofed content: fabricated document metadata, fake authentication prompts, or manipulated list views that appear to come from a legitimate SharePoint resource.

The flaw requires no authentication, no elevated privileges, and no victim interaction, which places its real-world exploitability far above what its CVSS 6.5 "Medium" rating suggests.

Attack Vector

Attacker → Crafted HTTP GET/POST request → SharePoint endpoint
           (manipulated query string, header, or form field)
                          ↓
           Insufficient input validation in request handler
                          ↓
           Spoofed content reflected in server response
           (fake auth prompt / tampered document view / 
            manipulated redirect)

A simplified example of the attack targeting a SharePoint list endpoint:

GET /sites/Finance/_layouts/15/listview.aspx?List={guid}&View=
    ../../../../_layouts/15/settings.aspx%3FSource%3Dhttp%3A%2F%2Fattacker.com
    &Source=http://attacker.com/fakeprompt
Host: sharepoint.contoso.com

In vulnerable builds, the Source or View parameter is consumed without strict whitelist validation, allowing the server response to redirect users to attacker-controlled pages or render attacker-crafted content inside the legitimate SharePoint frame.

Real-World Impact

Active exploitation was documented in the wild before the April 14 patch. Observed attack patterns include:

  • Credential harvesting: Victims browsing SharePoint are served spoofed login prompts that capture corporate credentials.
  • Document tampering: Spoofed metadata presented alongside real documents misleads employees about file origin, confidentiality classification, or approval status.
  • Phishing amplification: Legitimate SharePoint URLs containing crafted parameters are included in phishing emails, lending credibility to the attack because the domain is trusted.
  • Foothold expansion: Once credentials are harvested, attackers pivot to email, Teams, and Azure AD environments.

SecurityWeek and BleepingComputer confirmed ongoing automated scanning for vulnerable SharePoint instances beginning before the public patch.

2. Who Is Affected?

Product Vulnerable Versions
SharePoint Server 2016 All builds prior to the April 2026 cumulative update
SharePoint Server 2019 All builds prior to the April 2026 cumulative update
SharePoint Subscription Edition All builds prior to the April 2026 security update
SharePoint Online (Microsoft 365) Not affected — Microsoft patched cloud infrastructure directly

High-risk configurations:

  • SharePoint servers directly internet-facing (no reverse proxy or WAF)
  • Organizations with externally accessible SharePoint VPN portals
  • Environments where SharePoint serves as an intranet portal with sensitive financial, HR, or compliance documents
  • Any deployment not on a current patch cycle

Not affected:

  • Microsoft 365 / SharePoint Online tenants
  • SharePoint Server 2013 (end of life, no patch — but also a separate, older codebase)

3. How to Detect It (Testing)

Manual Testing Steps

  1. Identify your SharePoint version: Navigate to /_admin/FarmServers.aspx (Central Administration) or run Get-SPFarm | Select BuildVersion in SharePoint Management Shell. Compare against the April 2026 patch build numbers listed under "How to Fix It" below.

  2. Probe the Source and redirect parameters: On a test SharePoint site (never production), send a request with an external URL in the Source parameter:

    GET /sites/test/_layouts/15/AccessDenied.aspx?Source=http://external-test-site.com

    If the server responds with an HTTP 302 redirect to the external domain or embeds external content in the response body, the endpoint is not validating redirect targets.

  3. Check View parameter handling: Attempt path traversal sequences in the View parameter on list pages:

    GET /sites/test/_layouts/15/listview.aspx?List={valid-guid}&View=../../../

    A vulnerable server may return server errors or unexpected content instead of rejecting the malformed view identifier.

  4. Review SharePoint ULS logs: Check Unified Logging Service logs at %COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\16\LOGS\ for unusual request patterns — repeated 400/500 errors on layout pages from the same source IP, or requests containing URL-encoded traversal sequences.

Automated Scanning

Tool: Nuclei (ProjectDiscovery)

# Install/update Nuclei templates
nuclei -update-templates

# Scan SharePoint instance for CVE-2026-32201
nuclei -u https://sharepoint.yourdomain.com \
       -tags cve,sharepoint \
       -severity medium,high,critical \
       -o sharepoint-scan-results.txt

Expected output for a vulnerable target: A [CVE-2026-32201] finding with matched endpoint and parameter details.

Tool: Tenable Nessus

  • Plugin ID for CVE-2026-32201 is available in the April 2026 plugin feed update.
  • Run a credentialed scan using the "Microsoft SharePoint" plugin family to confirm patch level.

Tool: Microsoft Security Compliance Toolkit / MSCT

# Check installed patch via PowerShell on the SharePoint server
Get-HotFix | Where-Object {$_.HotFixID -like "KB*"} | 
  Sort-Object InstalledOn -Descending | Select-Object -First 20

Cross-reference the KB numbers against the April 2026 cumulative update for your SharePoint version (see Section 4).

Tool: Burp Suite (manual validation)

  • Use the Repeater module to replay crafted requests with manipulated Source, View, and List parameters.
  • Look for 302 redirects to external domains or unsanitized parameter reflection in the HTML response.

Code Review Checklist (for custom SharePoint add-ins / SPFx)

  • Verify all SPUtility.Redirect() calls validate the destination URL against an allowlist of internal domains
  • Check that HttpRequest.QueryString values used in page output are HTML-encoded with SPHttpUtility.HtmlEncode()
  • Confirm redirect targets are validated against SPWebApplication.AlternateUrls or an explicit internal domain list
  • Ensure no user-supplied View GUIDs are used directly in file path constructions
  • Review any custom WebParts that accept URL parameters for reflected output

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Apply the April 2026 Cumulative Update — This is the definitive fix. Download from the Microsoft Update Catalog:

  2. Patch the SharePoint Language Packs — If language packs are installed, they must also be updated alongside the core server patch. Failing to patch language packs can leave servers in an inconsistent state.

  3. Run the PSConfig Wizard after patch installation to propagate the update across the farm:

    # Run on every server in the SharePoint farm
PSConfig.exe -cmd upgrade -inplace b2b -wait -cmd applicationcontent -install -cmd installfeatures -cmd secureresources -cmd services -install

    Or via the SharePoint Products Configuration Wizard GUI.

  4. Restart IIS and SharePoint services after PSConfig completes:

    iisreset /noforce
net stop SPTimerV4 && net start SPTimerV4

  5. Verify patch installation by confirming the farm build version:

    (Get-SPFarm).BuildVersion
# Expected: 16.0.17xxx.xxxxx or higher (confirm against Microsoft's April 2026 release notes)

  6. Test core SharePoint functionality — run a quick smoke test on document libraries, list views, and authentication to confirm no regressions.

Immediate Workarounds (If Patching Is Delayed)

If you cannot apply the patch immediately, apply these compensating controls:

WAF Rule — Block external redirects on SharePoint layout pages:

# Nginx (reverse proxy in front of SharePoint)
location ~* /_layouts/ {
    # Block Source parameter pointing to external domains
    if ($arg_source ~* "^https?://(?!sharepoint\.yourdomain\.com)") {
        return 403;
    }
}

# Apache mod_rewrite
RewriteCond %{QUERY_STRING} [Ss]ource=https?://(?!sharepoint\.yourdomain\.com) [NC]
RewriteRule ^/_layouts/ - [F,L]

Restrict external access — If SharePoint does not need to be publicly accessible, place it behind a VPN or restrict access to internal IP ranges at the firewall level immediately.

Configuration Hardening

Enable SharePoint's built-in HTTP referrer validation:

# Enforce referrer header validation to block cross-site request forgery
$webApp = Get-SPWebApplication "https://sharepoint.yourdomain.com"
$webApp.HttpThrottleSettings.PerformThrottle = $true
$webApp.Update()

Restrict allowed redirect domains via web.config (add to <appSettings> in SharePoint web.config):

<add key="AllowedRedirectDomains" value="sharepoint.yourdomain.com,intranet.yourdomain.com" />

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: Apply the patch → repeat the Source=http://external-site.com test from Section 3. The server should now return a 400 Bad Request or display an "Invalid source URL" error — not a redirect.
  • Scenario B: Verify legitimate SharePoint navigation still works. A user clicking "Open in new tab" or using Back-to-Site navigation should redirect correctly to internal SharePoint URLs.
  • Scenario C: Confirm document library views, list filtering, and page rendering are unaffected by the patch.

Security Test Cases

Test Case 1: External redirect blocked

  • Precondition: April 2026 patch applied, PSConfig run
  • Steps: GET /_layouts/15/AccessDenied.aspx?Source=http://evil.example.com
  • Expected Result: HTTP 400 or sanitized error page; no redirect to external domain

Test Case 2: Traversal in View parameter rejected

  • Precondition: Patch applied
  • Steps: GET /_layouts/15/listview.aspx?List={guid}&View=../../../../etc/passwd
  • Expected Result: HTTP 400 or SharePoint "List not found" error; no path traversal content

Test Case 3: Legitimate list view still functions

  • Precondition: Patch applied
  • Steps: Navigate to a SharePoint list with a valid view GUID
  • Expected Result: List renders normally

Automated Post-Patch Validation

# Quick PowerShell validation script — run from a workstation with SharePoint access
$baseUrl = "https://sharepoint.yourdomain.com"
$testEndpoint = "$baseUrl/_layouts/15/AccessDenied.aspx?Source=http://external-redirect-test.com"

$response = Invoke-WebRequest -Uri $testEndpoint -MaximumRedirection 0 -ErrorAction SilentlyContinue
if ($response.StatusCode -eq 302 -and $response.Headers.Location -match "external-redirect-test") {
    Write-Host "⚠️  VULNERABLE: Server still redirects to external domain" -ForegroundColor Red
} else {
    Write-Host "✅  PATCHED: External redirect blocked (Status: $($response.StatusCode))" -ForegroundColor Green
}

6. Prevention & Hardening

Best Practices

  • Maintain a regular SharePoint patch cadence: Apply cumulative updates monthly, aligned with Patch Tuesday. On-premises SharePoint drifts rapidly — even one skipped update cycle can leave critical gaps.
  • Retire end-of-life versions: SharePoint 2016 reaches end of mainstream support in 2026. Begin planning migration to Subscription Edition or SharePoint Online.
  • Adopt a Zero Trust posture for SharePoint: Do not expose SharePoint directly to the internet. Place it behind an Azure Application Proxy, reverse proxy, or require VPN access for remote workers.
  • Enforce least-privilege site permissions: Limit who can access sensitive document libraries. A spoofing attack is significantly more damaging when the attacker can impersonate a user with broad access.
  • Enable Microsoft Entra ID Conditional Access for SharePoint authentication — require MFA for all access, especially from external networks.

Monitoring & Detection

Watch for these indicators of active exploitation in SharePoint ULS logs and web server access logs:

# Suspicious patterns to alert on (SIEM/log analytics query — Sentinel KQL example)
W3CIISLog
| where csUriStem contains "/_layouts/"
| where csUriQuery contains "Source=http" and csUriQuery !contains "yourdomain.com"
| where csUriQuery contains "../" or csUriQuery contains "%2F%2E%2E"
| summarize count() by cIp, csUriStem, bin(TimeGenerated, 5m)
| where count_ > 5

Additionally:

  • Alert on high volumes of 400/403 errors from a single source IP against /_layouts/ endpoints
  • Monitor for unusual outbound HTTP redirects from SharePoint servers (egress filtering)
  • Enable SharePoint audit logging at the site collection level: Site Settings → Site Collection Audit Settings → Track: Opening or downloading documents, Moving or copying items

Regular Assessment Practices

  • Monthly: Verify SharePoint build version matches the latest cumulative update.
  • Quarterly: Run a credentialed Nessus or Qualys scan against all SharePoint servers.
  • Annually: Commission an external penetration test specifically covering SharePoint web application attack surface (OWASP Top 10 + SharePoint-specific vectors).

References

Latest from the blog

See all →