InfoSec Briefing - April 15, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Wednesday, April 15, 2026. We're covering 3 articles today. All attribution is by the article authors. All article analysis is automated.

CISA has added a critical Microsoft SharePoint Server spoofing vulnerability to its Known Exploited Vulnerabilities catalog. The flaw affects SharePoint 2016, 2019, and Subscription Edition, allowing unauthenticated attackers to exploit systems over the network and potentially view or modify sensitive information. CISA reports active exploitation against internet-facing SharePoint deployments and requires immediate patching with Microsoft's April security updates.

XYBYTES researcher Christian Bortone has identified an overly permissive configuration in Azure File Sync that enables privilege escalation. The Azure File Sync Administrator role contains write permissions for role assignments, allowing users to grant themselves powerful roles like Storage Account Contributor, potentially leading to storage account compromise and data exfiltration. Microsoft has classified this as medium severity and decided not to remediate the issue.

Security researcher oxfemale has reverse engineered a zero-day exploit capable of disabling CrowdStrike endpoint protection. The exploit uses a malicious kernel-level driver that terminates security processes via their process identifiers, allowing attackers to evade detection and maintain persistence on compromised systems.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-32201 - CISA KEV

**CVE-2026-32201** is a **spoofing vulnerability** in **Microsoft Office SharePoint** that has been exploited in the wild .

- **Affected Product and Vendor**: The vulnerability affects **Microsoft Office SharePoint**, a product from **Microsoft** .
- **Vulnerability Description**: This vulnerability stems from **improper input validation** . It allows **unauthenticated attackers** to perform **spoofing over a network** . The CVSS rating for this vulnerability is **6.5** .
- **Attacker Capabilities**: Attackers can **view sensitive information** and **make changes to disclosed information** .
- **Exploitation**: While the provided information does not explicitly detail how it is being exploited against internet-facing applications using the MITRE ATT&CK T1190 technique, the nature of the vulnerability (spoofing over a network) suggests potential for such exploitation.
- **Threat Actors or Campaigns**: **Microsoft has confirmed that CVE-2026-32201 was exploited in the wild** . However, specific threat actors or campaigns exploiting this particular CVE are not detailed in the provided sources.
- **Affected Versions**: The specific affected versions of Microsoft Office SharePoint are not detailed in the provided search results.
- **Immediate Defender Actions**: Given that this vulnerability has been exploited in the wild, defenders should prioritize **applying the security updates released by Microsoft in April 2026** . Organizations should ensure their SharePoint environments are patched to mitigate the risk of exploitation.
Abusing Overly Permissive Role in Azure File Sync - The content posted at the URL is from **XYBYTES** and was posted by **Christian Bortone**.

A security vulnerability has been identified in **Azure File Sync** where the **"Azure File Sync Administrator"** role is **overly permissive** 【1】.

**What Happened:**
The "Azure File Sync Administrator" role contains the `Microsoft.Authorization/roleAssignments/write` permission. Although this permission has a condition, it can still be exploited by users to assign themselves more powerful roles, such as "Storage Account Contributor" or "Storage File Data Privileged Contributor" 【1】. This allows for privilege escalation.

**Who is Affected:**
Organizations utilizing **Azure File Sync** are affected, especially those that have granted the "Azure File Sync Administrator" role to users 【1】.

**Security Implications:**
Exploiting this vulnerability can lead to significant security breaches, including:
- **Privilege Escalation:** Attackers can gain higher-level access within the Azure environment 【1】.
- **Storage Account Compromise:** Attackers can gain control over storage accounts 【1】.
- **Server Compromise:** Connected servers can be compromised 【1】.
- **Local Administrator Privileges:** Attackers may obtain local administrator privileges on compromised machines 【1】.
- **Data Exfiltration:** Sensitive files can be exfiltrated from machines 【1】.

**Technical Details:**
The Azure File Sync agent operates with **SYSTEM privileges**. This allows an attacker, after escalating their privileges, to reconfigure the server endpoint to synchronize sensitive system files, such as the SAM (Security Account Manager) and SYSTEM files, from `C:\Windows\System32\config\` 【1】.

**What Defenders Should Know:**
Defenders need to understand that the **"Azure File Sync Administrator" role is significantly more powerful than its name suggests** 【1】. It is crucial to **restrict the permissions** associated with this role to mitigate the risk of privilege escalation and subsequent compromise 【1】. Microsoft has classified this as a medium severity issue and has opted not to fix it 【1】.
Signed to Kill: Reverse Engineering a 0-Day Used to Disable CrowdStrike EDR - oxfemale

The cybersecurity article details the reverse engineering of a zero-day exploit used to disable CrowdStrike's Endpoint Detection and Response (EDR) system.

**What Happened**
A zero-day exploit was discovered that targets a vulnerability allowing an attacker to disable CrowdStrike's EDR. The exploit works by leveraging a driver that can terminate any process, including the EDR itself. The reverse engineering process involved analyzing the driver using IDA Pro, identifying specific IOCTL (Input/Output Control) codes, and understanding the functions responsible for process termination.

**Who is Affected**
The primary targets of this exploit are systems protected by **CrowdStrike EDR**. However, any system where this specific driver can be loaded and executed is potentially vulnerable.

**Security Implications**
The security implications are significant:
- **Evasion of Detection:** By disabling the EDR, attackers can operate on a compromised system without being detected by CrowdStrike's security measures.
- **Privilege Escalation/Persistence:** The exploit allows for the termination of critical security processes, which could be a precursor to further malicious activities or a method to maintain persistence.
- **Kernel-Level Access:** The exploit operates at the kernel level, granting it deep access and the ability to bypass user-mode security restrictions.

**Technical Details**
The exploit involves a driver that exposes an IOCTL handler. Specifically, the IOCTL `0x22E010` triggers a function named `procKiller`. This function takes a process ID (PID) as a null-terminated ASCII string, converts it to an integer using `atoi()`, and then uses `ZwOpenProcess` and `ZwTerminateProcess` to kill the specified process. A key detail is that `ZwOpenProcess` from the kernel can successfully open handles to Protected Process Light (PPL) processes, which user-mode applications like EDRs cannot do, explaining how it can terminate security software 【1】.

**What Defenders Should Know**
Defenders should be aware of the following:
- **Kernel-Level Threats:** Exploits targeting kernel drivers pose a severe risk as they can bypass many user-mode security controls.
- **EDR Vulnerabilities:** Even robust EDR solutions can have vulnerabilities that attackers can exploit to disable them.
- **Process Termination Mechanisms:** Understanding how processes are terminated, especially from the kernel, is crucial for defense.
- **Patching and Updates:** While this was a zero-day, prompt patching of any identified vulnerabilities in EDR software and operating systems is essential.
- **Monitoring Driver Activity:** Monitoring for the loading of suspicious drivers and unusual `DeviceIoControl` calls can help detect such attacks.