Over 1,370 internet-facing SharePoint servers still appear exposed to actively exploited CVE-2026-32201

More than 1,370 internet-facing Microsoft SharePoint servers still appeared exposed to CVE-2026-32201 in recent Shadowserver tracking, days after Microsoft released fixes and CISA added the flaw to its Known Exploited Vulnerabilities catalog. The issue affects on-premises SharePoint Server deployments, not SharePoint Online, and it deserves urgent attention from any organization that still publishes SharePoint directly to the internet.

CVE-2026-32201 is a spoofing vulnerability caused by improper input validation in Microsoft Office SharePoint. Microsoft and NVD describe it as a network-based flaw that requires no privileges and no user interaction, which makes exposed servers easier to target at scale.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Microsoft disclosed the vulnerability on April 14, 2026, as part of its April security updates. CISA added it to KEV the same day and set an April 28, 2026 remediation deadline for federal civilian agencies, a sign that defenders should treat it as a live risk rather than a routine patch item.

Why this SharePoint bug matters now

The biggest concern is not the CVSS score alone. NVD lists CVE-2026-32201 with a 6.5 base score and the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, which translates to remote reachability, low attack complexity, no authentication, and no need for user action. That combination makes internet-facing systems especially attractive to attackers.

Microsoft’s support pages for SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition all state that the April 14 security updates resolve a SharePoint Server spoofing vulnerability and point administrators to CVE-2026-32201.

Shadowserver has already added CVE-2026-32201 to its vulnerable HTTP reporting. Its public description says the flaw is known to be exploited in the wild, is on CISA KEV, and is checked through a version-based detection method. Shadowserver also warns that version-based checks can produce false positives in some cases, so the exposed-host count should guide urgency, not replace internal validation.

What defenders should understand

This flaw affects on-premises SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Microsoft’s published April 14 update packages for those supported product lines are the main remediation path now.

Fresh reporting that cites Shadowserver scan data put the number of exposed internet-facing systems at 1,370 as of April 20, 2026. Even if some of those detections later turn out to be mitigated or misclassified, the number still points to a large patching gap more than a week after public disclosure and confirmed exploitation.

For security teams, the message is simple. If you still run on-premises SharePoint and expose it to the public internet, patching cannot wait. Restricting access, reviewing authentication and request logs, and validating every external SharePoint endpoint should happen alongside the update rollout.

CVE-2026-32201 at a glance

What organizations should do right away

• Apply the April 14, 2026 SharePoint security updates for every supported on-premises SharePoint deployment.
• Check every internet-facing SharePoint host, reverse proxy, and published URL, then confirm the patched build landed successfully.
• Reduce public exposure where possible. Move external access behind tighter controls until patch validation finishes.
• Review logs for unusual authentication behavior, crafted requests, and signs of spoofed activity.
• Treat the CISA deadline as a practical urgency marker even outside government environments.

FAQ