Thousands of SharePoint Servers Left Open to Active Exploitation
More than 1,300 Microsoft SharePoint servers accessible over the internet have yet to receive patches for a spoofing vulnerability that was weaponized as a zero-day and is still being actively abused by threat actors. The flaw, tracked as CVE-2026-32201, affects multiple on-premises versions of SharePoint and carries meaningful risks for both enterprise and government environments.
Despite Microsoft releasing a fix as part of its April 2026 Patch Tuesday update cycle, internet security watchdog group Shadowserver reported on Tuesday that fewer than 200 systems had been patched in the week following the security update's release — leaving the vast majority of vulnerable deployments exposed.
Which SharePoint Products Are Affected
CVE-2026-32201 impacts the following Microsoft SharePoint products:
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition — the latest on-premises release, which operates on a continuous update model
The vulnerability stems from an improper input validation weakness, and Microsoft characterized attacks exploiting it as low-complexity, requiring no user interaction and no special attacker privileges to carry out.
What Attackers Can Do With This Flaw
According to Microsoft's official advisory, successful exploitation of CVE-2026-32201 enables network spoofing by unauthenticated threat actors. The company described the potential impact in the following terms:
"An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)."
In practical terms, this means an attacker could intercept or manipulate data in transit without being detected as an outsider, while stopping short of denying legitimate users access to SharePoint resources. Though the availability impact is rated as none, the combination of confidentiality and integrity risks makes this a serious issue for organizations handling sensitive data through SharePoint.
Microsoft flagged CVE-2026-32201 as a zero-day at the time of patching, confirming that it had already been exploited in the wild before the fix was publicly available. However, the company has not yet disclosed the specific attack methods used or attributed the malicious activity to any particular threat actor or hacking group.
CISA Orders Federal Agencies to Patch by April 28
On the same day Microsoft released the patches — as part of its April 14, 2026 Patch Tuesday, which addressed a total of 167 vulnerabilities including two zero-days — the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog.
Under the requirements of Binding Operational Directive (BOD) 22-01, CISA ordered all Federal Civilian Executive Branch (FCEB) agencies — a category that includes non-military executive branch bodies such as the Department of the Treasury and the Department of Homeland Security — to apply patches to their SharePoint servers no later than April 28, 2026, providing a two-week remediation window.
CISA issued a stark warning alongside the directive:
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
A Broader Pattern of Microsoft Vulnerability Exploitation
The CVE-2026-32201 situation fits into a broader trend of widely deployed Microsoft products being targeted through known, patchable vulnerabilities — particularly when patch adoption lags behind disclosure. Shadowserver's data makes clear that, despite the combination of active exploitation, a CISA KEV listing, and a federal patching deadline, a significant portion of exposed SharePoint servers remain unprotected more than a week after fixes became available.
This isn't the only recent Microsoft flaw drawing federal attention. Just one week before the SharePoint warning, CISA separately flagged a Windows Task Host privilege escalation vulnerability as actively exploited in the wild, cautioning that it could allow attackers to gain SYSTEM-level privileges on affected devices and urging federal agencies to remediate as quickly as possible.
Recommended Actions for SharePoint Administrators
Security teams responsible for on-premises SharePoint deployments should take the following steps immediately:
- Identify all internet-exposed SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition instances in their environments.
- Apply the security updates released by Microsoft on April 14, 2026, as part of the April Patch Tuesday cycle.
- If immediate patching is not feasible, consider temporarily restricting external network access to SharePoint servers as a compensating control.
- Review logs for unusual network traffic patterns or signs of spoofing activity that may indicate prior exploitation.
- Monitor CISA's Known Exploited Vulnerabilities Catalog and Microsoft's Security Update Guide for further guidance.
With Shadowserver confirming that over 1,300 vulnerable servers remain publicly reachable and active exploitation already underway, the window for safe inaction has effectively closed. Organizations still running unpatched SharePoint deployments should treat remediation as an urgent priority.
Source: BleepingComputer