Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical fast-mcp-telegram CVE-2023-4589 lets attackers access sensitive files
July 7, 2026
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Home/CyberSecurity News/1,370+ Microsoft SharePoint Servers Vulnerable to Spoofing Attacks Exposed Online
CyberSecurity News

1,370+ Microsoft SharePoint Servers Vulnerable to Spoofing Attacks Exposed Online

Key Takeaways Over 1,370 internet-exposed Microsoft SharePoint servers globally remain susceptible to a critical spoofing vulnerability (CVE-2026-32201). The flaw, impacting SharePoint Server 2016,...

Sarah simpson
Sarah simpson
April 22, 2026 3 Min Read
44 0

Key Takeaways

  • Over 1,370 internet-exposed Microsoft SharePoint servers globally remain susceptible to a critical spoofing vulnerability (CVE-2026-32201).
  • The flaw, impacting SharePoint Server 2016, 2019, and Subscription Edition, allows unauthenticated attackers to impersonate users and access sensitive data.
  • Despite a “Medium” CVSS score of 6.5, its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation and elevates its real-world severity.
  • Microsoft released patches on April 14, 2026, as part of its Patch Tuesday updates, with CISA mandating remediation by April 28, 2026, for federal agencies.

Unpatched SharePoint Servers Face Active Spoofing Threat

New scanning data from the Shadowserver Foundation reveals that more than 1,370 Microsoft SharePoint Servers accessible via the internet are still vulnerable to a significant spoofing flaw, identified as CVE-2026-32201. This vulnerability is particularly concerning given its presence on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors.

Table Of Content

  • Key Takeaways
  • Unpatched SharePoint Servers Face Active Spoofing Threat
  • Details on the Vulnerability and Affected Systems
  • What You Should Do

The core of CVE-2026-32201 lies in insufficient input validation (CWE-20) within the request processing component of Microsoft Office SharePoint Server. This oversight allows an unauthenticated remote attacker to craft malicious network requests that bypass authentication measures. Successful exploitation enables spoofing attacks, where an attacker can impersonate legitimate users to gain unauthorized access to or manipulate sensitive organizational data.

According to Microsoft’s official advisory, while the vulnerability does not directly impact system availability, a successful exploit could allow an attacker to view and modify sensitive information. Although the vulnerability carries a CVSS v3.1 base score of 6.5, classifying it as “Medium” severity, cybersecurity experts caution that its practical danger significantly surpasses this rating.

The attack vector is entirely network-based (AV:N), requires minimal complexity (AC:L), no prior privileges (PR:N), and no user interaction (UI:N). This combination makes it an exceptionally dangerous threat for any internet-exposed enterprise collaboration platform like SharePoint.

Details on the Vulnerability and Affected Systems

Microsoft initially disclosed CVE-2026-32201 on April 14, 2026, as part of its April Patch Tuesday cycle, which addressed a total of 169 vulnerabilities across its product line. The flaw specifically impacts on-premises versions of SharePoint Server, including SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.

CISA swiftly added CVE-2026-32201 to its KEV catalog on the same day, April 14, citing clear evidence of active exploitation. The agency also imposed a federal remediation deadline of April 28, 2026, for government entities, underscoring the urgency of patching.

The rapid inclusion of this vulnerability in the KEV catalog, in conjunction with Microsoft’s patch release, signals the high priority threat actors are placing on exploiting unpatched SharePoint infrastructure. This scenario echoes the 2025 “ToolShell” campaign, which saw hundreds of SharePoint customers targeted through a chain of SharePoint vulnerabilities, specifically CVE-2025-49704 and CVE-2025-49706.

Shadowserver Foundation’s scanning data, updated as of April 20, 2026, identified 1,370 unpatched IP addresses still exposed to CVE-2026-32201, tracked under their http_vulnerable and http_vulnerable6 sources. The geographic distribution of these vulnerable systems is concerning:

  • North America: 677 (The United States accounts for 587 of these IPs)
  • Europe: 452
  • Asia: 144
  • Oceania: 33
  • South America: 33
  • Africa: 31

Global mapping data confirms the United States has the highest concentration of vulnerable SharePoint deployments, with Canada contributing an additional 70 exposed IPs. Europe also shows significant exposure, with clusters identified in Germany, France, and the UK.

Despite its “Medium” CVSS rating, CVE-2026-32201 poses a severe risk for any organization operating an internet-facing, on-premises SharePoint Server. The pre-authentication nature of the exploit means that no user credentials are required, making any network-reachable SharePoint instance a potential target. Successful exploitation can lead to credential theft, data exfiltration, unauthorized access to documents, and potential lateral movement within broader enterprise networks.

What You Should Do

  • Immediately apply Microsoft’s April 2026 Patch Tuesday security updates to all supported SharePoint Server versions (2016, 2019, and Subscription Edition).
  • Conduct a thorough audit of all internet-facing SharePoint deployments and restrict public exposure wherever possible.
  • Implement robust monitoring for unusual authentication activity and indicators of spoofed sessions.
  • Prioritize the remediation of CVE-2026-32201, cross-referencing CISA’s KEV catalog, and adhere to the April 28 federal deadline for remediation.
  • Utilize free scanning reports from organizations like Shadowserver to identify vulnerable assets within your network perimeter.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitPatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

CrowdStrike LogScale Critical CVE-2023-40148 Lets Attackers Read Server Files

Next Post

Critical Atlassian Bamboo RCE Flaw CVE-2024-1591 Lets Attackers Inject Commands

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
July 6, 2026
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us