1,370+ SharePoint servers exposed

More than 1,370 SharePoint servers are still exposed on the public internet with a Microsoft flaw CISA now lists as actively exploited. (cybersecuritynews.com) The bug, CVE-2026-32201, was added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog on April 14, 2026. CISA describes it as an improper input validation flaw in Microsoft SharePoint Server that lets an unauthorized attacker spoof over a network. (cisa.gov) SharePoint is Microsoft’s on-premises document and collaboration platform, and internet-facing servers are the systems outsiders can reach directly. Microsoft shipped fixes on April 14 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. (support.microsoft.com) Spoofing is the digital version of forging a badge or sender name so a system trusts something it should not trust. Microsoft’s advisory says the flaw stems from improper input validation, meaning the server does not correctly check data it receives before acting on it. (msrc.microsoft.com) CISA’s catalog is the federal government’s running list of vulnerabilities already used in real attacks, not a watchlist for theoretical bugs. Under Binding Operational Directive 22-01, federal civilian agencies have until May 4, 2026, to remediate CVE-2026-32201 after its addition to the catalog. (cisa.gov) Security firms said Microsoft’s April 2026 Patch Tuesday included one exploited zero-day in SharePoint, and Rapid7 said administrators should start by addressing CVE-2026-32201. Tenable said Microsoft patched 163 CVEs that month, while Rapid7 counted 167 because browser issues are tallied differently. (rapid7.com) (tenable.com) Rapid7 said the advisory offers limited detail and lists low impact to confidentiality and integrity with no impact to availability, but warned attackers often chain lower-scored bugs with other flaws. The CVSS base score for CVE-2026-32201 is 6.5 in Microsoft’s April release coverage. (rapid7.com) (cybersecuritynews.com) Shadowserver, which tracks exposed internet services, added CVE-2026-32201 to its vulnerable HTTP reporting and says organizations that receive a hit should review systems for signs of compromise and follow vendor mitigations. Shadowserver also notes its version-based checks can produce false positives in some cases. (shadowserver.org) Microsoft’s April support bulletins say the SharePoint updates specifically resolve the spoofing vulnerability, and the 2016 patch bulletin identifies build 16.0.5548.1003 while the Subscription Edition bulletin lists build 16.0.19725.20210. That leaves the immediate job for administrators unchanged: find any public-facing SharePoint server, verify the April 14 update is installed, and check for abuse if it is not. (support.microsoft.com 1) (support.microsoft.com 2)