Microsoft SharePoint on-premises faces a double active threat this week. The CVE-2026-32201 zero-day — a spoofing and cross-site scripting flaw requiring no authentication, patched on 14 April and added to the CISA KEV catalogue that same month — is still being actively exploited across the more than 1,300 internet-exposed SharePoint on-premises servers that have not applied the patch. And yesterday, 27 May, Microsoft published CVE-2026-45659 (CVSS 8.8), a new remote code execution flaw through deserialization of untrusted data in SharePoint that any authenticated user can exploit. With 44 days elapsed since the first patch — exactly the median remediation time the 2026 DBIR documented yesterday — the risk map is clear: unpatched SharePoint on-premises is active attack surface right now. The pattern is identical to Exchange OWA (CVE-2026-42897) on 18 May.

What do we know about the CVE-2026-32201 zero-day and the new CVE-2026-45659 RCE?

Facts documented by Microsoft, CISA, The Hacker News, SecurityWeek, Security Affairs, Computer Weekly and CybersecurityNews:

CVE-2026-32201 — Active zero-day, patch available since 14 April:

  • Vulnerability type: spoofing with cross-site scripting (XSS) through improper input validation (CWE-20) in Microsoft Office SharePoint.
  • CVSS 6.5 (Important): no authentication required, low attack complexity, no user interaction needed, remotely exploitable. The CVSS 6.5 understates the real risk: Mat Lee (Automox) warned that internet-exposed instances without the patch are vulnerable to direct external attackers.
  • Affected versions: SharePoint Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition.
  • Patch available: since 14 April 2026 (April Patch Tuesday). SharePoint SE CU3, KB5002659 for SharePoint 2016, KB5002658 for SharePoint 2019.
  • CISA KEV: added in April 2026. Deadline for US federal agencies: 28 April 2026 (already passed).
  • Active exploitation confirmed: Microsoft confirmed real-world attacks. Microsoft Threat Intelligence telemetry documents exploitation beginning at least seven days before the April advisory.
  • Exposure scale: over 1,300 SharePoint on-premises servers with direct internet exposure identified globally. Financial organisations are the highest-risk target.
  • Technical impact: malicious scripts executed in the browser of any user visiting a compromised SharePoint page — session token theft, authentication cookie theft, malicious redirects and access to internal documents.

CVE-2026-45659 — New RCE published yesterday 27 May:

  • Vulnerability type: remote code execution through deserialization of untrusted data in Microsoft Office SharePoint.
  • CVSS 8.8 (Important): requires authentication, but any user with an account in the organisation can exploit it. No administrator privileges required.
  • Affected versions: SharePoint Server 2016, 2019 and Subscription Edition.
  • Patch available: published in May 2026 Patch Tuesday, yesterday 27 May.
  • Microsoft’s assessment: exploitation “less likely.” Security Affairs warns that given SharePoint’s history — with a dozen serious CVEs in the past three years — that assessment deserves scepticism and the patch should be applied as an emergency.

Why SharePoint on-premises is a permanent first-order target

SharePoint is not just an intranet. It is the central repository for corporate documents, contracts, financial reports, internal communications and workflows for thousands of Spanish organisations. Compromising SharePoint does not mean accessing a server: it means accessing the entire organisation’s operational knowledge. Four factors explain why it is a recurring target:

  1. Maximum sensitive information density in a single system. SharePoint is where an organisation’s most protected documents live: contracts, board minutes, strategic plans, shared access credentials, compliance templates and client data. A SharePoint compromise is equivalent to exfiltrating the company’s most valuable information assets.
  2. Direct internet exposure in on-premises environments. Many organisations keep SharePoint accessible from the internet to facilitate remote work — without a WAF, without an inspecting reverse proxy, directly exposed. The 1,300+ servers identified globally are the visible tip of the problem.
  3. Deep integration with Active Directory and the Microsoft ecosystem. SharePoint authenticates against Active Directory and integrates with Exchange, Teams and OneDrive. A SharePoint compromise is an entry point to the rest of the corporate Microsoft ecosystem.
  4. History of documented mass exploitation. CVE-2026-32201 is the third critical pre-authentication flaw in SharePoint disclosed in twelve months. CISA’s KEV catalogue already lists a dozen actively exploited SharePoint CVEs over the past three years. The pattern is systematic.

How the attack works: from XSS to session hijacking and RCE

Vector 1 — CVE-2026-32201 (XSS / Spoofing, no authentication):

  1. The attacker identifies internet-accessible SharePoint on-premises servers (Shodan, Censys — over 1,300 identified globally).
  2. Sends a specially crafted request to SharePoint Server exploiting CVE-2026-32201: improper input validation in SharePoint page fields allows injection of malicious scripts that will execute in the browser of any user who accesses that page.
  3. The malicious script executes in the context of the user’s authenticated SharePoint session: steals session cookies, NTLM authentication tokens, accesses the user’s documents and folders, or redirects the user to internal phishing pages.
  4. With the stolen tokens, the attacker can access SharePoint as the compromised user’s identity, including all their permissions over libraries, lists and SharePoint sites.

Vector 2 — CVE-2026-45659 (RCE via deserialization, authenticated user):

  1. An attacker with a valid user account in the organisation (including minimum-privilege accounts such as a base employee or service account) sends specially crafted data to the affected SharePoint endpoint.
  2. SharePoint deserializes the data without sufficient validation, allowing the attacker to execute arbitrary code on the SharePoint server with the SharePoint process’s permissions.
  3. With code execution on the server, the attacker can move laterally to other internal network systems, exfiltrate the entire SharePoint content, or establish persistence on the server.

Combined maximum-risk scenario: an external attacker exploits CVE-2026-32201 to steal an employee’s credentials, gains authenticated access to the SharePoint environment, and uses those credentials to exploit CVE-2026-45659 and obtain code execution on the server. Two CVEs, complete server access.

Key lessons and mitigation checklist: what your team must do right now

Step 1 — Verify versions and exposure (immediate):

  • Confirm which SharePoint Server on-premises versions the organisation runs (2016, 2019 or SE). All are affected by both CVEs.
  • Verify whether SharePoint is directly internet-accessible (port 443). Exposed servers are the attackers’ priority target.
  • Check whether the April patch (CVE-2026-32201) has been applied: SharePoint SE CU3, KB5002659 for SharePoint 2016, KB5002658 for SharePoint 2019.

Step 2 — Apply both patches as an emergency:

  • CVE-2026-32201 (April patch): if not yet applied, this is urgent: it has been available for 44 days and active exploitation is confirmed. SharePoint SE CU3 / KB5002659 (2016) / KB5002658 (2019).
  • CVE-2026-45659 (May patch, published yesterday): apply the May 2026 Patch Tuesday as soon as the maintenance window allows. Given SharePoint’s history and the CVSS 8.8, do not wait for the usual monthly cycle.

Step 3 — Reduce exposure surface while patching:

  • If SharePoint is directly internet-exposed without a WAF, consider restricting access via VPN or zero-trust network access until both patches are applied.
  • If a WAF or reverse proxy sits in front of SharePoint, verify it has active rules filtering request patterns associated with CVE-2026-32201 (XSS via unsanitised input in page fields).

Step 4 — Monitor for prior exploitation:

  • Review SharePoint’s IIS logs from the past 44 days (since CVE-2026-32201 disclosure) for requests with JavaScript payloads in page parameters, unusual headers or deserialization patterns.
  • Review SharePoint audit logs for unauthorised access to critical document libraries or unauthorised permission changes.
  • Look for user accounts with abnormal activity: off-hours access, unusual document download volumes, site configuration changes.

Step 5 — Continuous patching plan for SharePoint:

  • SharePoint is the third critical pre-authentication CVE in twelve months. Establish a SharePoint-specific patching cycle that does not depend on the organisation’s general maintenance cycle: SharePoint CVEs have a history of being weaponised rapidly.

Cybersecurity as a strategic priority

This week’s pattern is the same one the 2026 DBIR documented yesterday: organisations take a median 43 days to patch, and CVE-2026-32201 has had a patch available for exactly 44 days. The pattern is the same as Exchange OWA 10 days ago: Microsoft on-premises platform, patch available but not applied across thousands of instances, active exploitation confirmed.

For Spanish organisations running SharePoint on-premises — mid-sized businesses, professional firms, public administrations and financial institutions that have not migrated to SharePoint Online — today’s question is direct: is the April patch applied? And if the answer is no, those 44 days are the window during which attackers have been active.

Apolo Cybersecurity: SharePoint on-premises protection and response to active Microsoft vulnerabilities

At Apolo Cybersecurity we help organisations running SharePoint on-premises verify the patching status of CVE-2026-32201 and CVE-2026-45659, implement exposure mitigations while patches are applied, review SharePoint logs for prior exploitation, audit permissions and anomalous access in critical document libraries, and establish accelerated patching plans for high-risk Microsoft on-premises platforms.

If your organisation runs SharePoint Server on-premises and you have no confirmation that the April patch is applied, this Thursday morning is the time to verify it. The 44-day active window has already passed.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity