Back to Intelligence

CVE-2026-32201: Microsoft SharePoint Zero-Day — Detection and Emergency Patching Guide

SA
Security Arsenal Team
April 15, 2026
5 min read

Introduction

Microsoft's April 2026 Patch Tuesday is a significant event, releasing security updates for 165 vulnerabilities. While the volume is high, the priority for defenders is laser-focused on one specific threat: CVE-2026-32201.

This critical vulnerability in Microsoft SharePoint Server has been confirmed as actively exploited in the wild prior to the availability of a patch. For organizations running on-premises SharePoint servers, this is not a hypothetical risk—it is an active intrusion campaign. The vulnerability allows remote attackers to execute code on the affected server, potentially leading to full system compromise, data exfiltration, and lateral movement into the broader corporate network. Immediate remediation is required to secure your collaboration infrastructure.

Technical Analysis

  • Affected Products: Microsoft SharePoint Server (2019, 2022, Subscription Edition).
  • CVE Identifier: CVE-2026-32201.
  • Severity: Critical (CVSS estimates likely 8.8+ due to remote exploitation capabilities).
  • Vulnerability Type: Remote Code Execution (RCE).
  • Mechanism: The vulnerability exists in how SharePoint handles specific serialized object requests or maliciously crafted API calls. An authenticated attacker (or potentially unauthenticated, depending on configuration) can send a specially crafted request to the SharePoint server. This request triggers the vulnerability, allowing the attacker to execute arbitrary code with the privileges of the SharePoint application pool account (typically WSS_WPG or similar service account).
  • Exploitation Status: CONFIRMED ACTIVE EXPLOITATION. Microsoft and threat intelligence indicate that this vulnerability is being used in real-world attacks to drop web shells or malware onto vulnerable servers.

Detection & Response

Given the active exploitation status, security teams must assume that compromise may have already occurred. Detection efforts should focus on identifying web shell activity and unusual process spawning patterns initiated by the SharePoint Internet Information Services (IIS) worker process.

SIGMA Rules

YAML
---
title: SharePoint Suspicious Child Process - CVE-2026-32201
id: 8a4b3c2d-1e9f-4a5b-8c6d-9e0f1a2b3c4d
status: experimental
description: Detects suspicious command-line utilities spawned by the SharePoint IIS worker process (w3wp.exe), indicative of web shell activity or exploitation of CVE-2026-32201.
references:
  - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.execution
  - attack.t1059.001
  - attack.web_shell
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    ParentCommandLine|contains: '\Microsoft SharePoint Foundation\'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cscript.exe'
      - '\wscript.exe'
  filter:
    User|contains: 'ADM' # Filter out specific admin accounts if strictly necessary, but use caution
condition: selection and not filter
falsepositives:
  - Legitimate administrative debugging (rare in production)
level: critical
---
title: SharePoint File Write Anomaly
id: 1b5c4d3e-2f0a-5b6c-7d8e-9f0a1b2c3d4e
status: experimental
description: Detects creation of executable or script files within SharePoint web roots, a common tactic for persistence after RCE.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\inetpub\wwwroot\'
      - '\wss\VirtualDirectories\'
    TargetFilename|endswith:
      - '.aspx'
      - '.ashx'
      - '.asmx'
      - '.asp'
      - '.config'
  filter_legit:
    Image|endswith: '\msdeploy.exe' # Exclude legitimate deployment tools
  condition: selection and not filter_legit
falsepositives:
  - Legitimate application deployment or updates
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious processes spawned by SharePoint IIS Worker Process
DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where InitiatingProcessCommandLine has "SharePoint"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "regsvr32.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, SHA256
| extend FullURL = parse_url(ProcessCommandLine)

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious processes spawned by w3wp.exe indicating potential web shell execution
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "w3wp.exe"
  AND Name =~ "cmd|powershell|pwsh|wscript|cscript"
  AND NOT (Exe =~ "C:\\Windows\\System32\\*")

Remediation Script (PowerShell)

PowerShell
# Check for April 2026 SharePoint Updates
# Note: Replace KB numbers below with specific KBs for SharePoint versions 2019/2022/Subscription when released by Microsoft

$ExpectedKBs = @("501XXXX", "501XXXX", "501XXXX") # Placeholder for actual April 2026 KBs
$SharePointInstalled = Get-HotFix | Where-Object { $_.Description -like "*SharePoint*" -or $_.HotFixID -in $ExpectedKBs }

if ($SharePointInstalled) {
    Write-Host "[+] SharePoint Security Updates for April 2026 appear to be installed." -ForegroundColor Green
    $SharePointInstalled | Format-Table HotFixID, InstalledOn
} else {
    Write-Host "[!] CRITICAL: April 2026 SharePoint Security Updates (CVE-2026-32201) NOT detected." -ForegroundColor Red
    Write-Host "[!] Apply patches immediately via Windows Update or Microsoft Update Catalog."
}

# Optional: Check for suspicious recent process creation by w3wp
$SuspiciousEvents = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]][EventData[Data[@Name='ParentProcessName']='C:\Windows\System32\inetsrv\w3wp.exe'] and Data[@Name='NewProcessName']='*\\cmd.exe' or Data[@Name='NewProcessName']='*\\powershell.exe']" -ErrorAction SilentlyContinue -MaxEvents 10

if ($SuspiciousEvents) {
    Write-Host "[!] WARNING: Detected recent suspicious command execution by w3wp.exe. Investigate potential compromise." -ForegroundColor Red
}

Remediation

  1. Patch Immediately: Apply the April 2026 Security Update for Microsoft SharePoint Server. Do not wait for the next monthly cycle.
  2. Review Vendor Advisory: Review Microsoft Security Advisory CVE-2026-32201 for the specific KB articles relevant to your SharePoint version (2019, 2022, or Subscription Edition).
  3. Network Segmentation: If immediate patching is not possible, restrict external access to SharePoint servers from the internet via firewall rules or enforce strict VPN/MFA requirements for all access.
  4. Web Application Firewall (WAF): Update WAF signatures to detect known exploit patterns targeting SharePoint deserialization or API endpoints.
  5. Audit for Compromise: Assume that unpatched servers may already be compromised. Run the detection scripts above and review IIS logs for unusual POST requests to /_vti_bin or other API endpoints during the exploitation window.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoftcve-2026-32201sharepoint

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action