A critical spoofing vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201, remains unpatched on over 1,370 internet-facing IP addresses worldwide, according to fresh scanning data from the Shadowserver Foundation, even as the flaw sits on CISA’s Known Exploited Vulnerabilities (KEV) catalog with confirmed active exploitation in the wild.
CVE-2026-32201 is rooted in improper input validation (CWE-20) within Microsoft Office SharePoint Server’s request processing component. By sending specially crafted network requests, an unauthenticated remote attacker can bypass authentication checks and perform spoofing attacks impersonating legitimate users to access or manipulate sensitive organizational data.
Microsoft’s advisory confirms that successful exploitation can allow an attacker to view sensitive information and make changes to disclosed information, though availability is not directly impacted.
The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium severity), but security researchers warn that its real-world danger far exceeds its score.
The attack vector is fully network-based (AV:N), requires low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) a dangerous combination for any internet-exposed enterprise collaboration platform.
Microsoft SharePoint Servers Vulnerable
Microsoft disclosed CVE-2026-32201 on April 14, 2026, as part of its April Patch Tuesday update cycle, which addressed a total of 169 vulnerabilities.
The flaw affects on-premises SharePoint Server versions, including 2016, 2019, and Subscription Edition. CISA simultaneously added the vulnerability to its KEV catalog on April 14, citing confirmed evidence of active exploitation, and issued a federal remediation deadline of April 28, 2026.
CISA’s rapid KEV listing moving in lockstep with Microsoft’s patch release signals the severity with which threat actors are actively targeting unpatched SharePoint infrastructure.
This pattern mirrors the 2025 “ToolShell” exploitation campaign, in which hundreds of SharePoint customers were targeted via chained SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706.cybersecuritydive+1
Shadowserver Foundation scanning data reveals 1,370 unpatched IP addresses still exposed to CVE-2026-32201 as of April 20, 2026, tracked under the http_vulnerable and http_vulnerable6 sources. The geographic breakdown of exposed systems is alarming:
- North America: 677 (largest share, with the United States accounting for 587 IPs)
- Europe: 452
- Asia: 144
- Oceania: 33
- South America: 33
- Africa: 31
The world map data confirms that the United States bears the highest concentration of vulnerable SharePoint deployments, with Canada contributing an additional 70 exposed IPs. European exposure is also significant, with clusters observed across Germany, France, and the UK.
Despite its “Medium” CVSS rating, CVE-2026-32201 presents a severe risk for any organization running an internet-facing, on-premises SharePoint Server.
The pre-authentication nature of the exploit means no credentials are needed any network-reachable SharePoint instance is a potential target. Exploitation can lead to credential theft, data exfiltration, unauthorized document access, and potential lateral movement into broader enterprise networks.
Mitigations
Organizations should take the following immediate steps:
- Apply Microsoft’s April 2026 Patch Tuesday security updates for all supported SharePoint Server versions (2016, 2019, Subscription Edition).
- Audit internet-facing SharePoint deployments and restrict public exposure where possible
- Monitor for anomalous authentication activity and spoofed session indicators
- Cross-reference CISA’s KEV catalog and prioritize CVE-2026-32201 remediation before the April 28 federal deadline.
- Use Shadowserver’s free scanning reports to identify vulnerable assets within your network perimeter.
With over a thousand vulnerable systems still exposed more than a week after patch availability, organizations running on-premises SharePoint Server face an urgent window to remediate before threat actors escalate their exploitation campaigns.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
