What happened

CISA added CVE-2026-32201 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-14, signaling confirmed exploitation in the wild CISA KEV. The issue is an improper input validation flaw in Microsoft SharePoint Server that enables an unauthorized attacker to perform spoofing over a network NVD entry. The affected product is Microsoft SharePoint Server as listed in the vulnerability record MITRE CVE.

Under Binding Operational Directive 22-01, federal agencies are required to remediate KEV-listed issues by the specified due date; for this vulnerability the due date is 2026-04-28 CISA KEV. The KEV entry directs organizations to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. The CVE classification maps to CWE-20 (Improper Input Validation), consistent with the described spoofing impact NVD entry.

Why it matters

Spoofing attacks undermine identity and trust boundaries in systems that rely on authenticated or asserted user context, which aligns with the impact described for this CVE NVD entry. Because this vulnerability is actively exploited and now in KEV, it requires prioritized remediation across affected environments per federal direction CISA KEV. SharePoint Server’s role as the vulnerable product focuses the risk on content and operations mediated by SharePoint’s identity-aware services, given the spoofing capability noted in the record MITRE CVE.

Inclusion in KEV indicates CISA has evidence of exploitation and mandates action by a clear deadline, translating to near-term operational exposure if systems remain unmitigated CISA KEV. The improper input validation designation (CWE-20) is a broad but serious class; when tied to spoofing, it often means attacker-controlled inputs can subvert identity assumptions in application flows NVD entry.

Technical detail

The vulnerability is defined as improper input validation (CWE-20), which occurs when software does not correctly validate input before using it, enabling adversary-controlled values to influence security decisions NVD entry. In this case, the documented effect is spoofing by an unauthorized attacker, indicating no prior authentication is required for exploitation to trigger the impersonation outcome CISA KEV. The network scope of the attack means the vulnerable surface is reachable over the network, consistent with SharePoint Server’s role as a web-accessible service NVD entry.

CWE-20 vulnerabilities that result in spoofing typically derive from insufficient checks on identifiers, tokens, claims, or request parameters that inform identity-bound logic, offering pathways for misrepresentation if not strictly validated NVD entry. The public records for this CVE do not provide version-level granularity or specific endpoint details, so defenders should anchor their posture to the existence of active exploitation and the spoofing impact stated in KEV rather than unverified assumptions CISA KEV. The MITRE record mirrors the core identifiers (CVE ID and vendor/product) without additional technical fields, reinforcing that treatment should follow vendor mitigation guidance and KEV prioritization MITRE CVE.

Defense

• Execute immediate remediation per KEV: apply vendor mitigations, follow BOD 22-01 guidance (including cloud contexts), or discontinue use if no mitigations are available CISA KEV.
• Enforce the KEV remediation deadline (2026-04-28) across all affected SharePoint Server instances to meet federal requirements and reduce exposure to ongoing exploitation CISA KEV.
• Treat spoofing risk as an identity integrity problem: harden controls where SharePoint relies on asserted user context, and scrutinize flows where untrusted inputs influence identity or permissions NVD entry.
• Heighten monitoring for anomalies consistent with spoofing: unexpected identity transitions, mismatched user contexts within a session, or irregularities around request parameters tied to identity decisions NVD entry.
• Prioritize exposure reduction: restrict unnecessary network access paths to SharePoint services while remediation is underway to reduce the reachable attack surface CISA KEV.

Because public records do not enumerate fixed versions or specific mitigation steps beyond the KEV directive, organizations should track the CVE identifier and update status via the official vulnerability entries to confirm completion NVD entry. Where compensating controls are needed, emphasize strict input handling in any custom extensions and enforce defense-in-depth around identity assertions used by SharePoint-connected workflows MITRE CVE.

Lyrie Verdict

Spoofing vulnerabilities are attractive to automated adversaries because they short-circuit identity enforcement and can be exercised at request speed, matching the network scope outlined for this CVE NVD entry. Lyrie prioritizes autonomous correlation of SharePoint request metadata with identity context to flag impersonation patterns within seconds, rather than waiting on human triage, aligning with the KEV mandate for urgent action CISA KEV. We continuously watch for shifts in user-context semantics that contradict prior baselines during SharePoint interactions, a signal class consistent with spoofing outcomes described in the public records MITRE CVE. In practice: machine-speed detection of identity anomalies on a network-reachable service compresses the attacker dwell time from hours to moments, buying your patch window without handing over identity trust.