Over 1,300 Microsoft SharePoint servers exposed online remain unpatched for a zero-day spoofing vulnerability (CVE-2026-32201) that Microsoft fixed in April 2026 but continues to be exploited in active attacks. Shadowserver reports fewer than 200 systems have been patched, and CISA has added the flaw to its KEV catalog and ordered federal agencies to remediate under BOD 22-01. #CVE-2026-32201 #MicrosoftSharePoint #Shadowserver #CISA
Keypoints
- Over 1,300 exposed SharePoint servers remain unpatched against CVE-2026-32201.
- The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition and enables network spoofing without privileges or user interaction.
- Microsoft released a patch in April 2026 but has not disclosed exploitation details or attributed attacks to a specific threat actor.
- Shadowserver found fewer than 200 systems patched since the update, leaving most exposed systems at risk.
- CISA added the flaw to its KEV catalog and ordered federal civilian agencies to patch under BOD 22-01 within two weeks.