In a significant and ongoing security incident, more than 1,300 publicly accessible Microsoft SharePoint servers remain unpatched against a critical IP spoofing vulnerability. This flaw, tracked as CVE-2026-32201, was initially exploited as a zero-day before being addressed in Microsoft's April 2026 Patch Tuesday. Despite the availability of patches, the vast majority of exposed systems remain vulnerable to active attacks.

The Vulnerability: Surgical Deception

The root of the issue lies in improper input validation within SharePoint’s network-facing components. This technical oversight allows an unauthenticated, remote attacker to perform network data spoofing without any user interaction.

• Affected Versions: The flaw impacts SharePoint Enterprise Server 2016, SharePoint Server 2019, and the SharePoint Server Subscription Edition.

• Attack Complexity: The exploit is classified as low complexity, requiring no special privileges or authentication to execute.

• Impact: Attackers can impersonate legitimate users or resources, potentially leading to unauthorized data access, phishing campaigns, or the alteration of sensitive information.

Slow Adoption and Active Threats

Internet watchdog Shadowserver recently warned that of the 1,300+ vulnerable servers identified, fewer than 200 systems have been updated since the patches were released. This slow response time leaves over a thousand enterprise environments exposed to a vulnerability that is already being used in the wild.

While Microsoft has officially designated CVE-2026-32201 as a zero-day, the company has yet to provide specific details on the nature of the observed attacks or link the activity to a known threat group.

The CISA Mandate

Recognizing the severity of the situation, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog on the same day patches were released.

• Mandatory Patching: Federal Civilian Executive Branch (FCEB) agencies were ordered to secure their servers by April 28, 2026.

• Significant Risk: CISA emphasized that this type of spoofing vulnerability is a common attack vector for sophisticated actors and poses a substantial risk to enterprise networks.

Recommendation

For any organization running on-premises SharePoint, the situation is urgent. Administrators should:

1. Immediately apply the April 2026 security updates provided by Microsoft.

2. Restrict public exposure by moving SharePoint servers behind a VPN or reverse proxy whenever possible.

3. Monitor network logs for anomalous authentication patterns or malformed HTTP requests that could indicate a compromise attempt.

Conclusion: SharePoint Exploitation Crisis

CVE-2026-32201 confirms that patching latency is now a fatal operational risk. With 1,300+ servers still exposed, the gap between the released fix and its implementation has created a massive, high-value target surface for active attacks.

The core issue is that public exposure is an immediate liability. Because this vulnerability allows for low-complexity IP spoofing without user interaction, unpatched servers are effectively open to any attacker who can impersonate a trusted entity. CISA’s immediate KEV inclusion proves this is a real-world fire, not a theoretical threat. Organizations must treat these updates as an emergency because, in a landscape where exploitation begins minutes after a patch is released, speed is the only defense.