Microsoft SharePoint Spoofing Attacks Affect 1,300+ Servers
▼ Summary
– Over 1,300 unpatched Microsoft SharePoint servers remain exposed online to a spoofing vulnerability (CVE-2026-32201) that is actively being exploited.
– The flaw affects multiple SharePoint versions and allows unprivileged attackers to perform network spoofing to view or alter sensitive information.
– CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch their systems by April 28.
– The Shadowserver watchdog group reported that fewer than 200 vulnerable systems have been patched since Microsoft released fixes last week.
– Microsoft patched this flaw among 167 vulnerabilities in its April 2026 update but has not disclosed details of the in-the-wild attacks.
A significant number of Microsoft SharePoint servers remain vulnerable to an actively exploited spoofing flaw, with more than 1,300 systems still unpatched. This critical vulnerability, identified as CVE-2026-32201, impacts multiple on-premises versions of the platform, including SharePoint Enterprise Server 2016, SharePoint Server 2019, and the Subscription Edition. Microsoft addressed the issue in its recent April security updates, classifying it as a zero-day vulnerability that was being exploited before a fix was available.
The flaw stems from an improper input validation weakness. Attackers can leverage it to perform network spoofing in low-complexity attacks that require no user interaction. Successful exploitation could allow an unprivileged threat actor to view or alter sensitive information, impacting data confidentiality and integrity, though not system availability. Microsoft has not detailed the specific in-the-wild attacks or attributed them to any known threat group.
Despite patches being available, remediation efforts are lagging. The security monitoring group Shadowserver reported that over 1,300 internet-exposed servers are still vulnerable. Since the update’s release last week, fewer than 200 systems have been successfully patched, leaving a large attack surface. The urgency was underscored when the U. S. Cybersecurity and Infrastructure Security Agency (CISA) promptly added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog.
CISA issued a binding directive, ordering all Federal Civilian Executive Branch agencies to apply the SharePoint security updates by April 28. The agency emphasized that such flaws are a frequent attack vector for malicious actors and pose a substantial risk to federal systems. Its guidance instructs organizations to apply vendor-provided mitigations immediately or to discontinue using the product if no fix is available.
This SharePoint warning follows another recent CISA alert concerning a separately exploited Windows Task Host privilege escalation vulnerability. The agency’s consistent messaging highlights the critical need for prompt patching, especially for flaws that are under active attack. The April 2026 Patch Tuesday from Microsoft contained fixes for 167 security issues, including two zero-days, underscoring the continuous pressure on organizations to maintain rigorous patch management practices.
(Source: BleepingComputer)
