Cyber Threat Brief — April 15 2026
⚠️ This report is AI-generated. Always validate findings.
1. SharePoint Server Spoofing Zero-Day — CVE-2026-32201
TL;DR: CISA added CVE-2026-32201 (SharePoint on-prem spoofing, CVSS 6.5) to KEV on April 14 following Microsoft’s confirmation of in-the-wild exploitation. Unauth, network-reachable, no UI — enables credential/session harvesting and trusted-channel abuse against SharePoint-integrated systems.
What’s New:
- Patched in April 14 Patch Tuesday (KB5002853 for SharePoint SE; parallel KBs for 2019/2016). Federal mitigation deadline April 28 2026.
- Root cause: improper input validation (CWE-20) in SharePoint’s request-handling layer; attackers spoof identity of network-adjacent/integrated apps.
- Microsoft has not disclosed attribution, attacker infrastructure, or first-observed date; no public PoC yet.
- Exploitation is network-reachable with low complexity and no privileges — expect PoC reverse-engineering from patch diff within days.
- Impacts Subscription Edition, 2019, and 2016 on-prem; SharePoint Online not affected.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST/GET requests to SharePoint _api/, _vti_bin/, _layouts/15/ with malformed/spoofed Host, X-Forwarded-For, or SAML Issuer headers | HTTP header | T1190, T1557 | IIS u_ex*.log, W3C, WAF, reverse proxy | Hunt — baseline legitimate client headers first |
| Authentication events for SharePoint service accounts from unexpected subnets or user agents | Auth anomaly | T1078, T1550 | Windows 4624/4625, Entra sign-in logs, ADFS | Alert |
w3wp.exe (SharePoint app pools) spawning cmd.exe, powershell.exe, net.exe, certutil.exe | Process chain | T1059.001, T1190 | Sysmon EID 1, EDR, 4688 | High-fidelity alert — classic post-exploit |
New/modified .aspx, .ashx, .asmx files under C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\*\TEMPLATE\LAYOUTS\ | File artifact | T1505.003 | Sysmon EID 11, FIM, EDR | Alert — webshell candidate |
| SharePoint version/build not at April 14 2026 CU (Subscription Edition 16.0.x ≥ KB5002853; 2019 ≥ KB5002854; 2016 ≥ KB5002855) | Patch state | T1190 | MECM, Defender TVM, Tenable, manual psconfig | Prioritize patch (KEV, federal deadline Apr 28) |
| Unusual outbound from SharePoint front-end to non-update / non-Microsoft infrastructure | Network | T1071.001 | Firewall, Zeek conn.log, proxy | Alert — staging / C2 pivot |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | W3WP Spawning Shell, SharePoint Server Spawning Shell (generic) | No rule keyed to CVE-2026-32201 spoof signature; need header-anomaly search on IIS logs for SharePoint virtual dirs |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | No spoof-specific logic; add FileCreate rule for .aspx/.ashx/.asmx under LAYOUTS path |
| Sigma | proc_creation_win_iis_susp_w3wp_child.yml (generic) | Need web_sharepoint_spoofed_headers.yml once Microsoft or researchers publish request signature |
Sources: CISA KEV Alert — Apr 14 · MSRC CVE-2026-32201 · Tenable analysis · The Hacker News · SecurityAffairs
2. Windows IKE Service Extensions Double-Free RCE — CVE-2026-33824
TL;DR: Critical unauth pre-auth RCE (CVSS 9.8) in the Windows IKE Extension reachable via specially crafted UDP 500/4500 packets — classic wormable/edge-device exposure pattern. Patched April 14; no public PoC yet but double-free root cause plus IKE exposure history make rapid weaponization likely.
What’s New:
- Root cause: double free (CWE-415) in IKEEXT service processing IKE payloads; unauthenticated remote, no UI, AV:N/AC:L/PR:N/UI:N.
- Affects all Windows 10 1607→22H2, Windows 11 22H2→26H1, Windows Server 2016/2019/2022/23H2/2025.
- Microsoft rates “Exploitation More Likely”; any host exposing UDP 500/4500 to untrusted networks (VPN concentrators, RRAS, Azure gateways) is priority.
- Mitigation (pre-patch): block inbound UDP/500 and UDP/4500 on systems not using IKE/IPsec; restrict to known peer IPs where required.
- No public PoC as of today; patch-diff of
IKEEXT.dllis the likely reverse-engineering vector.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Inbound UDP/500 or UDP/4500 from unexpected / non-peer sources | Network exposure | T1190 | Firewall allow/deny logs, NetFlow, Zeek conn.log | Alert on any new source; apply ACL |
| IKE/IPsec negotiation anomalies: malformed payload, oversized SA proposal, repeated INVALID_SYNTAX | Protocol anomaly | T1190 | Zeek ike.log (if generated), Windows WFP logs (EID 5151/5152), netsh wfp capture | Hunt — crash precursor |
Crash of IKEEXT service / svchost.exe hosting IKEEXT | Service crash | T1499 | Windows System 7031/7034, Application 1000, WER reports | High-signal alert — exploitation attempt or stability issue |
Post-crash child process from svchost.exe -k netsvcs group not in SvcHost allowlist | Process chain | T1055 | Sysmon EID 1, EDR, 4688 | High-fidelity alert |
| KB5055523 / KB5055528 / KB5055529 (April 14 2026 cumulative) not installed on Windows endpoints/servers | Patch state | T1190 | MECM, Defender TVM, Tenable, wmic qfe | Prioritize — internet-facing first |
| Internet-exposed UDP/500 or UDP/4500 (Shodan/Censys scan of perimeter) | Attack surface | T1190 | External ASM, Shodan internal monitoring | Reduce exposure — restrict or patch immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need: firewall search for new sources to UDP 500/4500; correlation between IKEEXT crash (EID 7031) and subsequent suspicious svchost.exe children |
| Elastic | Windows Service Terminated With Error (generic) | Gap: no IKEEXT-specific correlation; add rule on System 7031/7034 where Service == IKEEXT followed by child-process creation |
| Sigma | win_system_service_crashed.yml (generic) | Need: win_system_ikeext_service_crash.yml filtered on Service Name IKEEXT for SOC triage pipeline |
Sources: MSRC CVE-2026-33824 · Tenable Patch Tuesday · TheHackerWire analysis · WindowsNews writeup
3. Windows Error Reporting ALPC LPE — CVE-2026-20817 (Public PoC)
TL;DR: Functional PoC for the January-patched WER ALPC EoP (CVSS 7.8, SYSTEM) landed publicly on GitHub this week — itm4n (Clément Labro) published full analysis + working exploit. Low-priv local user → SYSTEM via forged ALPC to \WindowsErrorReportingService. Expect rapid uptake in off-the-shelf LPE toolkits.
What’s New:
- Original patch: Microsoft January 13 2026 rollup (KB5050009 / cumulative). Not patched endpoints remain vulnerable.
- itm4n full write-up + PoC: itm4n.github.io/cve-2026-20817-wersvc-eop and github.com/itm4n/CVEs/tree/master/CVE-2026-20817. Secondary unverified PoC: github.com/oxfemale/CVE-2026-20817 (itm4n flagged as suspect/fake).
- Mechanic:
SvcElevatedLaunchmethod (opcode 0x0D) on ALPC port\WindowsErrorReportingServicefails to validate caller privileges; launchesWerFault.exewith attacker-controlled command line from shared memory → SYSTEM code execution. - Affects all Win10 1809+, Win11, Server 2019/2022 prior to January 2026 rollup.
- Microsoft rates “Exploitation More Likely”; public PoC now makes it an expected LPE primitive in commodity toolkits (e.g., Potato family, PrintSpoofer successors).
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
WerFault.exe spawning with non-standard command line (unknown -u/-pss args, executables outside %WINDIR%) | Process | T1068 | Sysmon EID 1, 4688, EDR | High-fidelity alert |
WerFault.exe parent = svchost.exe hosting WerSvc but child process = interactive shell / LOLBin (cmd.exe, powershell.exe, rundll32.exe) | Process chain | T1068, T1055 | Sysmon EID 1, EDR | Alert — SYSTEM-level child from WER |
| SYSTEM-integrity process creation within seconds of a user-context crash event | Correlation | T1068 | Sysmon EID 1 + Application EID 1000/1001, 4688 | Hunt pattern for WER-abuse EoPs |
ALPC port \WindowsErrorReportingService accessed from unusual client processes (not WER, not CSRSS, not Explorer) | IPC | T1559 | ETW Microsoft-Windows-Kernel-Process / LPC, EDR | Hunt — ALPC message sender anomaly |
IFEO / Image File Execution Options\WerFault.exe key written by non-admin user | Registry | T1546.012 | Sysmon EID 13, 4657 | Alert |
| KB5050009 (or later cumulative) not installed on Win10/Win11/Server | Patch state | T1068 | MECM, Tenable, Defender TVM | Prioritize — PoC now public |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Unusual Process Launched By WerFault (not present) | Need: parent=WerFault.exe child=shell/LOLBin search; integrity-level-elevation pattern |
| Elastic | Privilege Escalation via Windows Error Reporting (not present) | Add rule on Sysmon EID 1 where parent=WerFault.exe and child in shell/LOLBin set, integrity=SYSTEM |
| Sigma | proc_creation_win_werfault_susp_cmdline.yml (partial/community) | Need: updated rule covering itm4n PoC command-line patterns and abnormal -pss / image paths |
Sources: itm4n analysis · itm4n PoC repo · SecurityOnline writeup · Cybersecurity News · MSRC CVE-2026-20817
Status Updates
- CVE-2026-33825 (Microsoft Defender — BlueHammer LPE): Patched in April 14 Patch Tuesday rollup; March 2026 PoC (“Chaotic Eclipse”) still the primary weaponization path. Confirm April update installed — preferred over registry/service workaround. Original coverage.
- CVE-2009-0238 (Microsoft Excel legacy RCE): CISA KEV addition April 14 (paired with CVE-2026-32201); 17-year-old Excel malformed-object RCE — confirm no Office 2003/2007 remains in-scope; detection content unchanged.
- CVE-2026-34621 (Adobe Acrobat/Reader prototype pollution): Still in active exploitation; no new IOCs beyond April 14 coverage. Original coverage.
- CVE-2026-21643 (Fortinet FortiClient EMS SQLi): Still ITW; no new artifacts beyond April 14 coverage. Original coverage.
- CVE-2025-60710 (Windows Task Host Recall LPE): PoC-in-GitHub tracking still at 4 repos; no new variants. Original coverage.