1,370+ Microsoft SharePoint Servers Vulnerable to Spoofing Attacks Exposed Online
Key Takeaways Over 1,370 internet-exposed Microsoft SharePoint servers globally remain susceptible to a critical spoofing vulnerability (CVE-2026-32201). The flaw, impacting SharePoint Server 2016,...
Key Takeaways
- Over 1,370 internet-exposed Microsoft SharePoint servers globally remain susceptible to a critical spoofing vulnerability (CVE-2026-32201).
- The flaw, impacting SharePoint Server 2016, 2019, and Subscription Edition, allows unauthenticated attackers to impersonate users and access sensitive data.
- Despite a “Medium” CVSS score of 6.5, its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation and elevates its real-world severity.
- Microsoft released patches on April 14, 2026, as part of its Patch Tuesday updates, with CISA mandating remediation by April 28, 2026, for federal agencies.
Unpatched SharePoint Servers Face Active Spoofing Threat
New scanning data from the Shadowserver Foundation reveals that more than 1,370 Microsoft SharePoint Servers accessible via the internet are still vulnerable to a significant spoofing flaw, identified as CVE-2026-32201. This vulnerability is particularly concerning given its presence on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors.
Table Of Content
The core of CVE-2026-32201 lies in insufficient input validation (CWE-20) within the request processing component of Microsoft Office SharePoint Server. This oversight allows an unauthenticated remote attacker to craft malicious network requests that bypass authentication measures. Successful exploitation enables spoofing attacks, where an attacker can impersonate legitimate users to gain unauthorized access to or manipulate sensitive organizational data.
According to Microsoft’s official advisory, while the vulnerability does not directly impact system availability, a successful exploit could allow an attacker to view and modify sensitive information. Although the vulnerability carries a CVSS v3.1 base score of 6.5, classifying it as “Medium” severity, cybersecurity experts caution that its practical danger significantly surpasses this rating.
The attack vector is entirely network-based (AV:N), requires minimal complexity (AC:L), no prior privileges (PR:N), and no user interaction (UI:N). This combination makes it an exceptionally dangerous threat for any internet-exposed enterprise collaboration platform like SharePoint.
Details on the Vulnerability and Affected Systems
Microsoft initially disclosed CVE-2026-32201 on April 14, 2026, as part of its April Patch Tuesday cycle, which addressed a total of 169 vulnerabilities across its product line. The flaw specifically impacts on-premises versions of SharePoint Server, including SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
CISA swiftly added CVE-2026-32201 to its KEV catalog on the same day, April 14, citing clear evidence of active exploitation. The agency also imposed a federal remediation deadline of April 28, 2026, for government entities, underscoring the urgency of patching.
The rapid inclusion of this vulnerability in the KEV catalog, in conjunction with Microsoft’s patch release, signals the high priority threat actors are placing on exploiting unpatched SharePoint infrastructure. This scenario echoes the 2025 “ToolShell” campaign, which saw hundreds of SharePoint customers targeted through a chain of SharePoint vulnerabilities, specifically CVE-2025-49704 and CVE-2025-49706.
Shadowserver Foundation’s scanning data, updated as of April 20, 2026, identified 1,370 unpatched IP addresses still exposed to CVE-2026-32201, tracked under their http_vulnerable and http_vulnerable6 sources. The geographic distribution of these vulnerable systems is concerning:
- North America: 677 (The United States accounts for 587 of these IPs)
- Europe: 452
- Asia: 144
- Oceania: 33
- South America: 33
- Africa: 31
Global mapping data confirms the United States has the highest concentration of vulnerable SharePoint deployments, with Canada contributing an additional 70 exposed IPs. Europe also shows significant exposure, with clusters identified in Germany, France, and the UK.
Despite its “Medium” CVSS rating, CVE-2026-32201 poses a severe risk for any organization operating an internet-facing, on-premises SharePoint Server. The pre-authentication nature of the exploit means that no user credentials are required, making any network-reachable SharePoint instance a potential target. Successful exploitation can lead to credential theft, data exfiltration, unauthorized access to documents, and potential lateral movement within broader enterprise networks.
What You Should Do
- Immediately apply Microsoft’s April 2026 Patch Tuesday security updates to all supported SharePoint Server versions (2016, 2019, and Subscription Edition).
- Conduct a thorough audit of all internet-facing SharePoint deployments and restrict public exposure wherever possible.
- Implement robust monitoring for unusual authentication activity and indicators of spoofed sessions.
- Prioritize the remediation of CVE-2026-32201, cross-referencing CISA’s KEV catalog, and adhere to the April 28 federal deadline for remediation.
- Utilize free scanning reports from organizations like Shadowserver to identify vulnerable assets within your network perimeter.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.