SharePoint CVE-2026-32201 Is Being Actively Targeted. Here Are the Paths to Watch.

Microsoft is warning that CVE-2026-32201, an improper input validation flaw in SharePoint Server, is being actively targeted. The vulnerability allows an unauthenticated attacker to spoof trusted content or interfaces over a network, affecting SharePoint Subscription Edition and SharePoint Server 2016 Enterprise.

The technical surface is narrow enough to be actionable. A proof-of-concept published in April identified two specific layout paths as the attack vectors: the notify endpoint at slash underscore layouts slash 15 slash notify.aspx, and the start endpoint at slash underscore layouts slash 15 slash start.aspx. Attackers hitting these paths unauthenticated, particularly with spoofed headers or malformed input, is the shape of this exploit. If you run SharePoint on-premise, those two paths are what your WAF or SIEM should be watching for anomalous unauthenticated requests against today.

The PoC repository went up April 22, eight days after the CVE published. The gap between a PoC appearing on GitHub and active targeting in the wild has been compressing all year. The WP Maps Pro plugin exploit we covered this morning was three days. SharePoint's gap was roughly six weeks, which is consistent with slower targeting of on-premise enterprise infrastructure compared to internet-exposed WordPress instances. But the targeting is real now and the paths are known.

We are being explicit about sourcing because it matters. The detection signal here comes from a single conceptual PoC, not a mature weaponized tool or a confirmed kill chain. Confidence is moderate. What we can say with high confidence is that the attack surface is the layouts directory, the mechanism is input validation bypass enabling spoofing, and the two paths above are where the PoC focuses its activity. That is enough to write a rule.

Both paths are now in our corpus alongside CVE-2026-32201's other metadata. If you pull the STIX feed, you have them. If you are running SharePoint Subscription Edition or 2016 Enterprise and have not patched, the next Patch Tuesday is June 9. That is one week. The paths above are the interim defense.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com