1,300+ SharePoint servers still exposed to actively exploited spoofing zero-day

Shadowserver’s scans show more than 1,300 internet-facing Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft disclosed in its April 2026 Patch Tuesday after it was already being exploited as a zero-day. Fewer than 200 systems have been remediated in the week since fixes shipped. The bug stems from improper input validation and affects SharePoint Enterprise Server 2016, Server 2019, and the Subscription Edition; an unauthenticated attacker can spoof network traffic in a low-complexity attack with no user interaction, reading sensitive data and tampering with disclosed information.

Microsoft has not attributed the in-the-wild activity to a specific actor or described the exploitation chain. CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day patches shipped and issued a BOD 22-01 order requiring federal civilian agencies to patch by April 28. The slow patch curve on a pre-auth, network-reachable spoofing bug in a heavily enterprise-deployed collaboration platform is the operational risk — SharePoint servers sit close to identity, document stores, and internal workflows, so integrity tampering has blast radius beyond the host itself.