Over 1,300 Internet‑Facing SharePoint Servers Remain Exposed to Actively Exploited Vulnerability

More than 1,300 internet-facing Microsoft SharePoint servers are still exposed to an actively exploited vulnerability, even after security patches became available. The security flaw, tracked as CVE-2026-32201, puts sensitive enterprise data at risk while many organizations remain dangerously unpatched.

CVE‑2026‑32201 is a security flaw in Microsoft SharePoint Server caused by improper input validation, which allows an unauthenticated attacker to carry out network spoofing attacks. This vulnerability can be exploited remotely, requires no user interaction, and does not need prior privileges. Attackers can impersonate trusted users or services and potentially access or modify sensitive SharePoint data, compromising confidentiality and integrity while leaving availability largely unaffected.

The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability),” Microsoft explained in its advisory.

Microsoft and CISA urge immediate patching

Microsoft rated the vulnerability as medium severity (CVSS 6.5), but its real‑world risk is significantly higher due to confirmed active exploitation. The flaw was exploited as a zero‑day before patches were released in April 2026, which prompted CISA to add it to the Known Exploited Vulnerabilities catalog.

CISA has directed U.S. federal agencies to apply the security patches on affected SharePoint systems by April 28, 2026. It’s also recommended to follow mitigation guidance or remove the affected product if fixes cannot be applied. Other organizations are strongly advised to patch promptly using Microsoft’s security updates.

Recommended steps to secure vulnerable SharePoint servers

Organizations running on‑premises Microsoft SharePoint should prioritize immediate patching of all affected systems to address this security vulnerability. This flaw is actively exploited and doesn’t require authentication or user interaction, so delaying updates leaves internet‑facing servers especially exposed. Where patching cannot be applied right away, organizations should follow vendor‑recommended mitigations, restrict external access to SharePoint services, or temporarily remove vulnerable systems from the Internet to reduce the attack surface.

Security teams should take additional defensive steps to detect and limit potential misuse. These include reviewing SharePoint logs for unusual authentication or content‑modification activity, verifying that identity and trust relationships are functioning correctly, and strengthening network controls such as firewalls, reverse proxies, or IP allow‑listing.