Full Report
Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. [...]
Analysis Summary
# Vulnerability: Microsoft SharePoint Server Spoofing Vulnerability
## CVE Details
- **CVE ID:** CVE-2026-32201
- **CVSS Score:** N/A (Note: Severity described as "High" importance by CISA inclusion/vendor flagging, though the specific numerical score is not provided in the text).
- **CWE:** CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition (On-premises)
- **Configurations:** Systems exposed to the public internet.
## Vulnerability Description
CVE-2026-32201 is a network spoofing vulnerability caused by improper input validation within SharePoint Server. The flaw allows an unprivileged, remote attacker to manipulate web traffic or server responses. Because the vulnerability lacks sufficient input sanitization, an attacker can perform spoofing actions that compromise the perceived source or integrity of data transmitted via the server.
## Exploitation
- **Status:** Exploited in the wild (Zero-day).
- **Complexity:** Low.
- **Attack Vector:** Network (Remote).
- **User Interaction:** None required.
## Impact
- **Confidentiality:** Partial (Attacker can view some sensitive information).
- **Integrity:** Partial (Attacker can make changes to disclosed information).
- **Availability:** Low/None (Attacker cannot limit access to the resource).
## Remediation
### Patches
Microsoft released official security updates as part of the **April 2026 Patch Tuesday**. Admins should apply the following updates based on their version:
- Security updates for SharePoint Enterprise Server 2016.
- Security updates for SharePoint Server 2019.
- Security updates for SharePoint Server Subscription Edition.
### Workarounds
- **Network Isolation:** Disconnect or restrict internet exposure of vulnerable SharePoint servers.
- **Access Control:** Implement strict access control lists (ACLs) to limit who can interact with the server until patching is complete.
## Detection
- **Indicators of Compromise:** Shadowserver and CISA have confirmed active exploitation. Organizations should monitor for unusual network traffic originating from or directed toward SharePoint endpoints.
- **Detection methods and tools:**
- **Shadowserver Dashboard:** Can be used to check if an organization's public IP addresses are flagged as vulnerable.
- **Vulnerability Scanning:** Use updated security scanners to identify unpatched SharePoint instances.
- **CISA KEV Catalog:** Cross-reference internal asset lists against the Known Exploited Vulnerabilities catalog.
## References
- **Vendor Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/en-US/advisory/CVE-2026-32201
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Shadowserver Statistics:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/combined/time-series/?tag=cve-2026-32201
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/over-1-300-microsoft-sharepoint-servers-vulnerable-to-ongoing-attacks/