"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of what’s going on, which helps us to make changes and recommendations for future plans."
Kickstart Your FastTrack Journey
Fill out the short form below to express your interest in our FastTrack programme, and we’ll be in touch soon.
“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
Keep up to date with the experts
Get insights directly to your email inbox
Follow us on social
“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
Request a Call
First we need a few details.
CVE-2026-32201 is a spoofing vulnerability in Microsoft Office SharePoint, rooted in improper input validation (CWE-20). It allows an unauthenticated attacker to perform spoofing attacks remotely over the network, with no authentication required.
Important clarification: this vulnerability affects on-premises SharePoint deployments only. It does not impact SharePoint Online within Microsoft 365. If your organisation runs SharePoint exclusively through Microsoft 365, you are not affected. If your organisation runs SharePoint Server on premises (even in a hybrid Microsoft 365 environment) this vulnerability still applies.
Affected versions are SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Microsoft disclosed and patched the flaw on April 14, 2026, as part of its April Patch Tuesday, one of the largest monthly releases in the company’s history. The SharePoint flaw was among the vulnerabilities confirmed to be actively exploited in the wild at the time of release.
It carries a CVSS score of 6.5 – technically a “Medium” severity rather than “Critical”. However, due to this vulnerability being internet exploitable and requiring no credentials or validation, it is worth prioritising.
SharePoint remains deeply embedded in enterprise environments – often hosting sensitive internal documentation, approval workflows, HR records, and collaboration data that organisations depend on daily.
Vulnerabilities in platforms like this are particularly valuable to attackers because they don’t just expose data. They abuse trust. When a spoofed resource appears to originate from an organisation’s own SharePoint environment, users are far more likely to trust and interact with it. In these scenarios, attackers are exploiting the familiarity and legitimacy associated with a platform employees rely on every day.
The root cause is straightforward: SharePoint isn’t sufficiently validating inputs before using them to generate or display trusted content.
An attacker sends a specially crafted request to a publicly accessible SharePoint endpoint. Because the server processes it without proper checks, the output can be made to appear as though it originated from a trusted internal source – spoofing list views, document metadata, or authentication prompts.
The attack unfolds like this:
The combination of remote exploitation, low attack complexity, and trusted platform impersonation makes this type of vulnerability particularly attractive to threat actors operating at scale.
Microsoft confirmed CVE-2026-32201 was exploited in attacks before a patch was available – the same day patches dropped, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog and ordered all Federal Civilian Executive Branch agencies to patch by April 28 – a two-week window. The accelerated remediation timeline reflects the severity of the vulnerability and the level of concern around active exploitation.
According to scanning data from the Shadowserver Foundation, over 1,370 internet-facing SharePoint servers remained unpatched as of April 22 – down from a peak of approximately 1,745 a week earlier. The US and Germany were identified as the most widely exposed countries.
Microsoft has released fixes for all affected versions:
If your organisation operates a scheduled patching cycle, this warrants an exception. CISA’s KEV listing makes the urgency explicit.
If SharePoint is internet-facing without VPN enforcement, that’s the immediate priority. Place it behind a VPN or Zero Trust Network Access (ZTNA) gateway. Shrink the attack surface before the patch can be tested and deployed.
A WAF configured to inspect and block malformed HTTP requests adds a meaningful layer against the request patterns this vulnerability exploits. Azure WAF and Microsoft security tooling can help detect or block malformed SharePoint HTTP traffic patterns associated with this vulnerability.
Turn on detailed SharePoint Unified Logging Service (ULS) logging and route logs to your Security Information and Event Management (SIEM). If you’re running Microsoft Sentinel, out-of-the-box SharePoint anomaly detection rules are worth enabling. See the Detection Opportunities section below for what to look for.
Review permissions across your SharePoint environment and rotate credentials where appropriate. If spoofing is used as a stepping stone, the blast radius is directly proportional to how broadly access has been granted.
Patching now doesn’t mean you weren’t hit before April 14. Review SharePoint access logs from the weeks prior – look for unexpected external requests to document library, list, and layout endpoints from unfamiliar IP ranges.
For IT and security teams monitoring on-premises or hybrid SharePoint environments, the following patterns warrant investigation:
Reviewing SharePoint activity alongside identity and network telemetry will provide the clearest indication of whether exploitation attempts have occurred within your environment.
CVE-2026-32201 serves as a reminder that vulnerability management is ultimately about risk, not just severity ratings.
While vulnerability scores provide a useful starting point for prioritisation, they don’t always reflect how attractive a target may be to attackers in the real world. Factors such as internet exposure, ease of exploitation, the level of trust users place in a platform, and active attacker interest can significantly increase operational risk.
This is where CVSS scoring can sometimes create blind spots. Although CVE-2026-32201 was assigned a CVSS score of 6.5, it required no privileges, no user interaction, and was actively exploited before a patch became available. The framework measures technical characteristics and potential impact, but it does not fully account for factors such as platform exposure, attacker behaviour, or how widely a technology is deployed within enterprise environments.
In the case of CVE-2026-32201, the combination of low attack complexity, remote accessibility, and trusted platform impersonation significantly increased the operational risk beyond what the score alone may initially suggest.
Spoofing vulnerabilities in collaboration platforms are particularly attractive to attackers because they exploit existing user trust in familiar business tools. For example, a spoofed SharePoint or Google Workspace page is unlikely to appear suspicious to most users, especially within environments where these applications form part of daily operational workflows.
The 1,370 unpatched servers in this instance aren’t a failure of awareness. Most of those organisations know the patch exists. The failure is internal operations – change management friction, testing cycles, resource constraints.
Attackers don’t have change freeze calendars.
The broader pattern here is worth watching. Attackers are increasingly focused on widely deployed enterprise platforms that move slowly through patching cycles. Any on-premises collaboration or document management platform that’s internet-accessible and slow to patch is carrying the same fundamental risk profile.
Want to understand how vulnerabilities like this fit into your wider threat landscape? Stripe OLT’s threat intelligence and SOC services help organisations move from reactive patching to proactive defence. Speak to our team to find out more.
