Microsoft SharePoint Zero-Day Vulnerability (CVE-2026-32201) Under Active Exploitation
On April 14, 2026, Microsoft confirmed the active exploitation of a critical zero-day spoofing vulnerability in SharePoint Server, addressed in its monthly security update. Tracked as CVE-2026-32201, the flaw affects multiple SharePoint Server versions and carries a CVSS base score of 6.5 (Important), with a temporal score of 6.0 following the release of an official patch.
The vulnerability stems from improper input validation (CWE-20) in Microsoft Office SharePoint, enabling unauthenticated remote attackers to conduct spoofing attacks over a network. Independent researcher Ronald Lovelace (Cloudy_Day) highlighted systemic issues in Microsoft’s content delivery network (CDN) architecture, linking the flaw to unmitigated misconfigurations first reported in July 2024. Despite CERT’s engagement with Microsoft in January 2025, proof-of-concept files were removed from the Microsoft Security Response Center (MSRC) but remained accessible via obscure portal routes, suggesting concealment rather than resolution.
Lovelace’s findings indicate broader risks, including GitHub OAuth flow misconfigurations that expose admin panels, configurations, and unpublished content due to misrouted fallback behavior in Microsoft’s CDN layers. Variations in headers or query parameters can bypass existing protections, posing national security concerns. The issue reflects a pattern of persistent, unaddressed delivery architecture flaws affecting multiple agencies and third-party services.
Microsoft has not publicly acknowledged the full scope of the CDN-related risks, despite ongoing exploitation. The vulnerability underscores long-standing security gaps in enterprise collaboration platforms.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7450008423682801664
Microsoft_SharePoint cybersecurity rating report: https://www.rankiteo.com/company/microsoft_sharepoint
"id": "MIC1776227043",
"linkid": "microsoft_sharepoint",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple agencies and '
'third-party services',
'industry': 'Software & IT Services',
'name': 'Microsoft',
'type': 'Technology Corporation'}],
'attack_vector': 'Network',
'data_breach': {'sensitivity_of_data': 'High (potential national security '
'concerns)',
'type_of_data_compromised': 'Admin panels, configurations, '
'unpublished content'},
'date_publicly_disclosed': '2026-04-14',
'description': 'On April 14, 2026, Microsoft confirmed the active '
'exploitation of a critical zero-day spoofing vulnerability in '
'SharePoint Server, tracked as CVE-2026-32201. The flaw '
'affects multiple SharePoint Server versions and stems from '
'improper input validation (CWE-20), enabling unauthenticated '
'remote attackers to conduct spoofing attacks. The '
'vulnerability is linked to unmitigated misconfigurations in '
'Microsoft’s content delivery network (CDN) architecture, '
'first reported in July 2024. Despite CERT’s engagement, '
'proof-of-concept files remained accessible, suggesting '
'concealment. Broader risks include GitHub OAuth flow '
'misconfigurations exposing admin panels and unpublished '
'content due to misrouted fallback behavior in Microsoft’s CDN '
'layers.',
'impact': {'brand_reputation_impact': 'Potential national security concerns, '
'systemic security gaps',
'operational_impact': 'Spoofing attacks, exposure of admin panels '
'and unpublished content',
'systems_affected': 'Microsoft SharePoint Server'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Persistent unaddressed delivery architecture flaws in '
'enterprise collaboration platforms pose systemic risks. '
'Misconfigurations in CDN and OAuth flows require '
'proactive mitigation.',
'post_incident_analysis': {'corrective_actions': 'Patch deployment, CDN and '
'OAuth configuration audits, '
'enhanced monitoring',
'root_causes': 'Improper input validation '
'(CWE-20), unmitigated CDN '
'misconfigurations, GitHub OAuth '
'flow misconfigurations'},
'recommendations': 'Immediate patch deployment for CVE-2026-32201. Audit and '
'secure CDN and OAuth configurations. Enhance monitoring '
'for spoofing and unauthorized access attempts.',
'references': [{'source': 'Microsoft Security Update'},
{'source': 'Research by Ronald Lovelace (Cloudy_Day)'},
{'source': 'CERT Engagement with Microsoft (January 2025)'}],
'response': {'containment_measures': 'Official patch released in April 2026 '
'security update',
'remediation_measures': 'Patch deployment for CVE-2026-32201'},
'title': 'Microsoft SharePoint Zero-Day Vulnerability (CVE-2026-32201) Under '
'Active Exploitation',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'CVE-2026-32201 (Improper Input Validation - '
'CWE-20)'}