Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks

Published:

22 april 2026 om 06:53:02

Alert date:

22 april 2026 om 07:01:02

Source:

bleepingcomputer.com

Enterprise Applications, Zero-Day Vulnerabilities

Over 1,300 Microsoft SharePoint servers remain unpatched against a spoofing vulnerability that was initially exploited as a zero-day attack. The vulnerability is still being actively exploited in ongoing attacks against exposed SharePoint servers. This represents a significant security risk for organizations running unpatched SharePoint installations. The vulnerability allows attackers to perform spoofing attacks against vulnerable servers. Organizations should prioritize patching their SharePoint servers to prevent exploitation.

Technical details

CVE-2026-32201 is a spoofing vulnerability affecting SharePoint servers that allows threat actors without privileges to perform network spoofing by exploiting an improper input validation weakness. The attacks are low-complexity and don't require user interaction. Successful exploitation allows attackers to view sensitive information (Confidentiality) and make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). The vulnerability was exploited as a zero-day and is still being abused in ongoing attacks.

Mitigation steps:

Apply Microsoft security updates released in April 2026 Patch Tuesday to patch CVE-2026-32201. Follow vendor instructions for mitigations. Federal agencies must patch SharePoint servers by April 28, 2026 as mandated by BOD 22-01. Follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected products:

SharePoint Enterprise Server 2016
SharePoint Server 2019
SharePoint Server Subscription Edition

Related CVE's:

CVE-2026-32201

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.