The Spoofing Flaw Nobody’s Talking About (Enough)

While everyone’s watching AI break into vulnerability research and Vercel bleed tokens, a quieter disaster is unfolding on corporate networks worldwide. Over 1,300 Microsoft SharePoint servers remain unpatched against a zero-day spoofing vulnerability — and the U.S. government just told federal agencies they have two weeks to fix it or else.

That’s not hype. That’s Binding Operational Directive 22-01 in action.

CVE-2026-32201: Low Complexity, High Consequences

The vulnerability, tracked as CVE-2026-32201, affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and the Subscription Edition. Microsoft patched it in April 2026 Patch Tuesday, but here’s the kicker: it was already being exploited in the wild when the patch dropped. Zero-day. No user interaction required. Low attack complexity.

What does successful exploitation actually get an attacker?

  • Confidentiality: View sensitive information
  • Integrity: Make changes to disclosed information
  • Availability: Not directly affected — which means the attack is stealthy

Translation: an unauthenticated attacker can sniff and modify data on your SharePoint instance without crashing it, without triggering obvious downtime alerts, and without needing anyone to click a phishing link first.

1,300+ Servers Still Exposed

On Tuesday, the Shadowserver Foundation — the internet’s unpaid security watchdog — scanned the web and found over 1,300 SharePoint servers still vulnerable. Fewer than 200 had been patched since Microsoft released fixes the previous week.

Think about that ratio. A critical, actively exploited zero-day with a government-mandated patching deadline — and roughly 87% of exposed servers are still sitting there waiting to be popped.

It gets worse. CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog on the same day the patch came out. Federal agencies now have until April 28, 2026 to remediate or document compensating controls.

Why SharePoint Keeps Getting Hit

SharePoint is one of those enterprise tools that organizations install, customize heavily, and then treat as immovable infrastructure. It’s not a shiny SaaS product with auto-updates. It’s on-premises software running on servers that IT teams are afraid to touch because “something might break.”

This creates a perfect storm:

  • High value target: SharePoint hosts internal documents, credentials, strategic plans, and sometimes source code
  • Complex patching: On-prem SharePoint updates often require farm downtime, compatibility testing, and custom workflow validation
  • Weak visibility: Many organizations don’t even know how many SharePoint servers they have exposed to the internet

The “continuous update” model of the Subscription Edition was supposed to fix this. Clearly, it hasn’t.

The Bigger Picture: Patch Velocity vs. Exploit Velocity

Microsoft fixed 167 vulnerabilities in April Patch Tuesday, including two zero-days. That’s a massive workload for any security team. But attackers don’t care about your workload. They care about whether your server is listening on port 443 with a known flaw.

What we’re seeing here is a structural problem: patch velocity can’t keep up with exploit velocity when the attack surface is thousands of on-premises servers that require manual intervention to secure.

CISA’s KEV catalog and BOD 22-01 are blunt instruments, but they’re necessary ones. When the federal government has to legally mandate patching timelines, you know the private sector is even further behind.

What You Should Do Right Now

If you run SharePoint on-premises — or know someone who does — here’s your checklist:

  1. Scan your perimeter. Use Shadowserver data or run your own scan. Know what’s exposed.
  2. Apply KB patches for CVE-2026-32201 immediately. April 2026 cumulative updates for affected versions.
  3. Review your SharePoint farm architecture. If it doesn’t need to be internet-facing, take it offline or put it behind a VPN.
  4. Monitor for post-exploitation activity. Unauthorized document access, permission changes, or unexpected data exports.
  5. Document everything. If you’re a federal agency, BOD 22-01 requires it. If you’re private sector, your cyber insurance will thank you.

The Bottom Line

While AI-powered threats and blockchain-infostealers grab headlines, the real damage is still being done by unpatched servers running known-vulnerable software. CVE-2026-32201 isn’t exotic. It doesn’t require nation-state tooling. It just requires an attacker to find your server before you patch it.

With 1,300+ still exposed and a ticking federal deadline, the question isn’t whether more breaches will happen. It’s how many — and whether yours will be one of them.

Stay sharp. Patch fast. And maybe take SharePoint off the internet if it doesn’t need to be there.