top of page
Search

CVE-2026-32201: The SharePoint Zero-Day Hunt Huntress Should Run Tonight. KQL Inside.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 5 hours ago
  • 5 min read

May 6, 2026 · DugganUSA LLC


Microsoft patched CVE-2026-32201 in the April 8, 2026 Patch Tuesday. CISA added it to the Known Exploited Vulnerabilities catalog the same week. The federal civilian executive branch patch deadline under BOD 22-01 was April 28. As of today, BleepingComputer is reporting more than 1,300 internet-exposed SharePoint servers still vulnerable to ongoing attacks. That is the gap between "patched in the bulletin" and "patched on the box," and the gap is where this post lives.


If you run Microsoft SharePoint Server 2016, 2019, or Subscription Edition, the two URL paths your IIS logs need to be searched for tonight are /_layouts/15/start.aspx and /_layouts/15/notify.aspx. Those are the indicators we have in our IOC index from the exploit-harvester pull on the public PoC repo (B1tBit/CVE-2026-32201-exploit). The KQL is below. Run it.



What CVE-2026-32201 Actually Is


It is a spoofing vulnerability that chains to cross-site scripting on SharePoint Server. CVSS 6.5. Improper input validation in the affected pages allows an unauthenticated remote attacker to inject script that executes in the browser of any user visiting a compromised SharePoint page. The payoff is session cookie theft and authentication token theft. From there an attacker pivots to authenticated SharePoint access and from authenticated SharePoint access to whatever the compromised user can reach on the corporate intranet, which on most enterprise deployments is a lot.


The vulnerability is rated Important rather than Critical because it requires user interaction (the victim has to load the malicious SharePoint page). The exploitation rate in the wild and the volume of exposed servers indicate that "requires user interaction" is doing very little to slow attackers down. Phishing a SharePoint URL to an internal user is straight out of the standard playbook. SharePoint is the vector that gets clicked.


Affected products: SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition. SharePoint Online (Microsoft 365) is not affected; this is on-premises only. If your organization is still running on-premises SharePoint, your exposure window opened on Patch Tuesday and is still open if you have not deployed the update.



The Two Paths


Our exploit harvester pulled the public PoC for CVE-2026-32201 last week. The two URL paths that are the load-bearing indicators in the exploit chain are /_layouts/15/start.aspx and /_layouts/15/notify.aspx. Both are legitimate SharePoint application paths that exist on every install, which is part of why the exploit works without dropping a webshell or a recognized backdoor file. The exploit lives in the query string and the body, not the path. So your hunt has to filter on the path and then look at what is being passed to it.



KQL — Microsoft Sentinel and Defender


For a Sentinel deployment ingesting IIS logs through the W3CIISLog table, the first query to run is the one looking for XSS payloads landing on either of the two paths in the last forty-eight hours.


W3CIISLog | where TimeGenerated > ago(48h) | where csUriStem in~ ("/_layouts/15/start.aspx", "/_layouts/15/notify.aspx") | where csUriQuery has_any ("script", "javascript:", "onerror=", "onclick=", "alert(", "%3Cscript", "%6Aavascript") | project TimeGenerated, sSiteName, cIP, csUserAgent, csUriStem, csUriQuery, scStatus | order by TimeGenerated desc


The second query is the broader baseline: how often are these two paths being hit at all, and from how many distinct sources. If your normal traffic to those paths is light and you suddenly see a spike, the spike is the alarm.


W3CIISLog | where TimeGenerated > ago(7d) | where csUriStem in~ ("/_layouts/15/start.aspx", "/_layouts/15/notify.aspx") | summarize Requests=count(), UniqueIPs=dcount(cIP), UniqueAgents=dcount(csUserAgent), TopAgent=arg_max(csUserAgent, 1) by csUriStem, bin(TimeGenerated, 1h) | order by TimeGenerated desc


For Defender for Endpoint customers without Sentinel, the data lives in DeviceProcessEvents around the SharePoint worker process w3wp.exe and DeviceNetworkEvents for any unusual outbound from the SharePoint host (a w3wp.exe reaching out to an unfamiliar C2 after one of these requests is a strong signal of post-exploit activity).


DeviceNetworkEvents | where Timestamp > ago(48h) | where InitiatingProcessFileName =~ "w3wp.exe" | where ActionType == "ConnectionSuccess" | where not(RemoteIPType in ("Private", "Loopback", "Reserved")) | summarize Connections=count(), URLs=make_set(RemoteUrl, 50) by DeviceName, RemoteIP | where Connections > 5 | order by Connections desc



The grep Version For Anyone Without KQL


If you are not in Sentinel and not in Defender and you are reading this from a server room with a flashlight in your teeth, the IIS log files live in C:\inetpub\logs\LogFiles\ by default. Search them like this from PowerShell:


Get-ChildItem -Path C:\inetpub\logs\LogFiles\ -Filter *.log -Recurse | Select-String -Pattern "/_layouts/15/start\.aspx|/_layouts/15/notify\.aspx" | Select-Object Filename, LineNumber, Line


Or from a bash environment with the logs mounted:


grep -E "/_layouts/15/(start|notify)\.aspx" *.log | awk '{print $1, $2, $9, $10, $11}' | sort | uniq -c | sort -rn | head -50


Either pass gives you the list. If anything in that list has script payloads in the query string or unexpected status codes, you have a candidate.



What To Do Tonight


One. Patch. Microsoft published the update on April 8 for SharePoint 2016, 2019, and Subscription Edition. If you are not patched, you are in the 1,300-server window BleepingComputer is reporting on. Patch is the only fix; the workarounds in the original advisory are partial.


Two. Hunt back. Run the queries above against the last seven days minimum, ideally the last thirty. The vulnerability has been actively exploited since April; you are not looking for a brand-new event, you are looking for evidence that someone already used it on you and you missed it.


Three. Rotate. If the hunt finds suspicious traffic to either path with script payloads in the query string and the affected accounts include privileged users, rotate session cookies and credentials for those accounts immediately. The exploit's payoff is session theft, not file write. The blast radius is whatever the compromised user could already access.


Four. Check for follow-on. SharePoint compromise is rarely the destination; it is the step. Look at Defender for outbound activity from your SharePoint hosts to unfamiliar IPs in the same hunt window. Look at AAD sign-in logs for the affected users for unusual locations or impossible-travel signals immediately following the SharePoint requests.



Why We Are Publishing This Now


CVE-2026-32201 was disclosed and patched four weeks ago. The federal patch deadline was nine days ago. Every paid threat intelligence platform shipped indicators on this. Most enterprises got the alert. About 1,300 internet-exposed SharePoint servers are still unpatched per BleepingComputer, and that count is the floor — it does not include intranet-only servers that are still vulnerable to internal phishing pivots.


The reason 1,300 servers are still unpatched is not that the indicators were not delivered. The indicators were delivered. The reason is that delivery is the easy half of the job and detection-driven hunting in production logs is the hard half. We publish KQL on the front end of these so that small teams without a SOC retainer have something to copy and paste tonight without filing a ticket.


The CVE-2026-32201 IOCs (URL paths, the public PoC repo, and follow-on phishing kit infrastructure that shows up in OpenPhish) are in our STIX feed at analytics.dugganusa.com/api/v1/stix-feed under the indicator type. The free public tier is twenty-five queries per day; that is enough to pull the SharePoint indicator set tonight without paying us.


If you find anything in your logs running these queries and you want a cross-check or a second opinion, we are at [email protected].



Receipts


  • Microsoft Security Update Guide entry for CVE-2026-32201 (April 8, 2026): msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201

  • CISA Known Exploited Vulnerabilities catalog entry: cisa.gov/known-exploited-vulnerabilities-catalog

  • BleepingComputer "Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks"

  • The Hacker News "Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities"

  • Public PoC harvested by our exploit-harvester: github.com/B1tBit/CVE-2026-32201-exploit

  • Our STIX feed: analytics.dugganusa.com/api/v1/stix-feed

— Patrick Duggan DugganUSA LLC, Minneapolis


Aye.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page