Latest Actively Exploited Flaw Leaves Over 1,300 SharePoint Servers Vulnerable

More than 1,300 unpatched Microsoft SharePoint servers remain exposed online despite a critical security update. The flaw, tracked as CVE-2026-32201, is already being exploited in the wild and poses a serious risk to enterprise environments.

Critical SharePoint vulnerability requires no authentication

The vulnerability affects Microsoft SharePoint Server 2016, 2019, and Subscription Edition. It is classified as a spoofing flaw caused by improper input validation.

Attackers can exploit the issue without authentication, user interaction, or complex techniques. This makes it especially dangerous in real-world scenarios where exposed servers are easy targets.

Successful exploitation allows attackers to access sensitive data and modify content within SharePoint environments. While it does not directly impact system availability, the confidentiality and integrity risks remain significant.

Patch adoption remains slow despite active exploitation

Microsoft released a fix as part of its April 2026 Patch Tuesday rollout, which addressed a total of 167 vulnerabilities. However, patch adoption has been slow.

Fewer than 200 systems have been updated since the patch became available. This leaves over 1,300 servers still vulnerable, highlighting a major gap in enterprise patch management.

Security experts warn that this delay increases exposure, especially as attackers actively scan for unpatched systems.

CISA issues urgent directive to federal agencies

The Cybersecurity and Infrastructure Security Agency added CVE-2026-32201 to its Known Exploited Vulnerabilities catalog. This move confirms active exploitation and raises the urgency level.

U.S. federal agencies must apply the patch within two weeks, with a deadline set for April 28. The directive reflects the severity of the threat and the potential impact on critical systems.

High-risk threat enables data access and lateral movement

This vulnerability presents a high risk for organizations running affected SharePoint versions. Threat actors can gain unauthorized access, tamper with stored data, and potentially move laterally across internal networks.

The lack of authentication requirements further lowers the barrier for exploitation, making widespread attacks more likely.

Microsoft has not disclosed details about the attack methods or the threat actors involved, leaving defenders with limited visibility into ongoing campaigns.

Immediate mitigation steps recommended

Organizations should apply the latest SharePoint security updates without delay. Following Microsoft’s mitigation guidance and CISA recommendations is critical to reduce exposure.

If immediate patching is not possible, administrators should restrict external access to SharePoint servers or temporarily disable affected systems to prevent exploitation.

Broader security concerns continue to grow

This incident comes amid a wave of security issues across the Microsoft ecosystem. The RedSun exploit recently demonstrated the ability to bypass Microsoft Defender protections, raising concerns about built-in security effectiveness.

At the same time, Microsoft released an emergency .NET update to address another critical vulnerability, signaling increased pressure on organizations to stay current with security patches.

With multiple active threats emerging simultaneously, delayed patching continues to be one of the biggest risks facing enterprise IT environments today.

Via Bleeping Computer