Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks

At a glance:

• Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against CVE-2026-32201, a spoofing vulnerability exploited as a zero-day.
• The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, allowing attackers to view sensitive data and alter information without user interaction.
• U.S. federal agencies must patch by April 28, 2026, per CISA's Binding Operational Directive 22-01 after the vulnerability was added to the Known Exploited Vulnerabilities catalog.

The Vulnerability: CVE-2026-32201

A critical security vulnerability tracked as CVE-2026-32201 affects multiple versions of Microsoft SharePoint, leaving servers exposed to spoofing attacks. The flaw, which Microsoft patched during its April 2026 Patch Tuesday cycle, stems from improper input validation that enables threat actors to perform network spoofing. Microsoft confirmed that successful exploitation allows attackers without privileges to compromise confidentiality and integrity of data, though availability remains unaffected. Despite being flagged as a zero-day, Microsoft has not disclosed specific exploitation details or linked attacks to particular threat actors, leaving the full attack vector unclear for security researchers.

Current Exposure: Thousands of Unpatched Systems

Internet security watchdog group Shadowserver reported that over 1,300 Microsoft SharePoint servers remain exposed online and unpatched just days after Microsoft released security updates for CVE-2026-32201. Shockingly, fewer than 200 systems have been secured since patches became available. This widespread exposure creates a significant attack surface, as the vulnerability requires only low-complexity exploitation without user interaction. Shadowserver's monitoring highlights the persistent challenge of patch management across enterprise environments, particularly for legacy systems like SharePoint Server 2016 that may receive less frequent updates.

Federal Response: CISA's Mandate

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated the threat by adding CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog on April 9, 2026. This designation triggers mandatory remediation for federal agencies under Binding Operational Directive (BOD) 22-01, requiring all Federal Civilian Executive Branch (FCEB) agencies to patch SharePoint servers within two weeks—by April 28, 2026. CISA emphasized that "this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," instructing agencies to either apply mitigations, follow cloud service guidance, or discontinue use if patches are unavailable.

Broader Context: April 2026 Patch Tuesday

CVE-2026-32201 is part of a larger security update cycle where Microsoft addressed 167 vulnerabilities on April 14, 2026, including two additional zero-day flaws. The same week, CISA also flagged a Windows Task Host privilege escalation vulnerability being exploited in the wild, warning federal agencies to secure devices immediately to prevent attackers from gaining SYSTEM privileges. This confluence of critical vulnerabilities underscores the escalating sophistication of cyber threats targeting enterprise infrastructure, particularly legacy systems with extended support lifespans.

What's Next for Organizations

Organizations running vulnerable SharePoint versions must prioritize patching immediately. For systems unable to patch immediately, Microsoft recommends implementing mitigations such as network segmentation, access controls, and monitoring for suspicious activity. Security teams should also verify their exposure using tools like Shadowserver's public dataset, which tracks unpatched servers globally. Given the vulnerability's zero-day status and active exploitation, organizations should assume their environments are already targeted and treat remediation as a time-sensitive security imperative.

The Patching Challenge

The slow adoption rate of SharePoint patches highlights broader challenges in enterprise security management. With over 1,300 servers still exposed just days after release, many organizations likely face deployment bottlenecks due to testing requirements, legacy dependencies, or resource constraints. This incident mirrors previous patching delays for critical Microsoft vulnerabilities, suggesting systemic issues in vulnerability response protocols. Security experts recommend organizations maintain dedicated patch management teams and test environments to accelerate deployment of critical updates without compromising system stability.

Industry Impact and Future Threats

The exploitation of CVE-2026-32201 as a zero-day before public patching signals a dangerous trend where attackers leverage vulnerabilities faster than organizations can respond. This vulnerability, combined with the Windows Task Host flaw and other unpatched issues, suggests coordinated threat actor campaigns targeting enterprise weaknesses. Industry analysts predict increased focus on pre-patch exploitation as attackers prioritize zero-day vulnerabilities with minimal user interaction requirements, forcing organizations to adopt more proactive security measures like continuous monitoring and rapid response capabilities.