1,370+ Microsoft SharePoint Servers Vulnerable to Spoofing Attacks Exposed Online
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical spoofing vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201, remains unpatched on over 1,370 internet-facing IP addresses worldwide, according to fresh scanning data from the Shadowserver Foundation, even as the flaw sits on CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog with confirmed active exploitation in the wild.<\/p>\n
CVE-2026-32201 is rooted in improper input validation<\/a> (CWE-20) within Microsoft Office SharePoint Server\u2019s request processing component. By sending specially crafted network requests, an unauthenticated remote attacker can bypass authentication checks and perform spoofing attacks impersonating legitimate users to access or manipulate sensitive organizational data.<\/p>\n Microsoft\u2019s advisory confirms that successful exploitation can allow an attacker to view sensitive information and make changes to disclosed information, though availability is not directly impacted.<\/p>\n The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium severity), but security researchers warn that its real-world danger far exceeds its score.<\/p>\n The attack vector is fully network-based (AV:N), requires low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) a dangerous combination for any internet-exposed enterprise collaboration platform.<\/p>\n Microsoft disclosed CVE-2026-32201 on April 14, 2026<\/a>, as part of its April Patch Tuesday update cycle, which addressed a total of 169 vulnerabilities.<\/p>\n The flaw affects on-premises SharePoint Server versions, including 2016, 2019, and Subscription Edition. CISA simultaneously added the vulnerability to its KEV catalog on April 14, citing confirmed evidence of active exploitation, and issued a federal remediation deadline of April 28, 2026.<\/p>\n CISA\u2019s rapid KEV listing moving in lockstep with Microsoft\u2019s patch release signals the severity with which threat actors are actively targeting unpatched SharePoint infrastructure.<\/p>\n This pattern mirrors the 2025 \u201cToolShell\u201d exploitation campaign, in which hundreds of SharePoint customers were targeted via chained SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706.cybersecuritydive+1<\/p>\n Shadowserver Foundation scanning data reveals 1,370 unpatched IP addresses still exposed to CVE-2026-32201 as of April 20, 2026, tracked under the The world map data confirms that the United States bears the highest concentration of vulnerable SharePoint deployments, with Canada contributing an additional 70 exposed IPs. European exposure is also significant, with clusters observed across Germany, France, and the UK.<\/p>\n Despite its \u201cMedium\u201d CVSS rating, CVE-2026-32201 presents a severe risk for any organization running an internet-facing, on-premises SharePoint Server.<\/p>\n The pre-authentication nature of the exploit means no credentials are needed any network-reachable SharePoint instance is a potential target. Exploitation can lead to credential theft, data exfiltration, unauthorized document access, and potential lateral movement into broader enterprise networks.<\/p>\n Organizations should take the following immediate steps:<\/p>\n With over a thousand vulnerable systems still exposed more than a week after patch availability, organizations running on-premises SharePoint Server face an urgent window to remediate before threat actors escalate their exploitation campaigns.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post 1,370+ Microsoft SharePoint Servers Vulnerable to Spoofing Attacks Exposed Online<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMicrosoft SharePoint Servers Vulnerable<\/strong><\/h2>\n
http_vulnerable<\/code> and http_vulnerable6<\/code> sources. The geographic breakdown of exposed systems is alarming:<\/p>\n\n
Mitigations<\/strong><\/h2>\n
\n