The Shadowserver Foundation reported on April 22, 2026 that more than 1,370 Microsoft SharePoint servers are still unpatched and exposed to the Internet due to the CVE-2026-32201 vulnerability. CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) list. This zero-day attack was discovered with Patch Tuesday on April 14 but a fix has not yet been applied to thousands of servers.
April 22, 2026 An alarming news has emerged in the cybersecurity world today. More than 1,370 Microsoft SharePoint servers around the world are sitting exposed on the internet, waiting for hackers. These servers are the victim of a dangerous zero-day vulnerability called CVE 2026 32201.
And the worst part is that this vulnerability was already being exploited in the real world. By the time Microsoft released a patch, thousands of organizations had still not applied the fix, putting them at direct risk.
What Is This Issue? Simple Explanation
Microsoft SharePoint is a widely-used collaboration platform that companies, government departments, schools and organizations around the world use to store data, share documents and facilitate team communication. Its a kind of office system that runs over the Internet. When this system is directly exposed to the Internet anyone from anywhere in the world can try to access it.
Now imagine that the door of your house is open and you forgot to lock it and a notice is put up on top saying Come in no one will stop you. This is the condition of these 1,370+ SharePoint servers. CVE-2026-32201 is a vulnerability in which a hacker can defraud the server even without any username or password by making it think that the request is genuine when in reality it is fake/crafted.
In technical terminology this is called a spoofing attack in which the attacker deceives the system by concealing their identity or data. And the most worrying thing is that this attack requires no special skills, no passwords no user interaction just an internet connection is enough.
CVE-2026-32201 How This Vulnerability Works
The full name of CVE-2026-32201 is Microsoft SharePoint Server Improper Input Validation Vulnerability. Simply put SharePoint Server mistakes incorrect or manipulated data for authenticity. When a user sends a request, for example, to view a document and SharePoint checks the request to see if it is genuine. In this vulnerability and this checking process does not work properly.
A hacker creates specially crafted HTTP requests, i.e. normal-looking but malicious inside and sends them to the SharePoint server. The server considers these requests to be genuine, as a result of which the hacker gets access to view or modify things that only authorized users can see. The hacker can access sensitive documents, user data, internal configurations and even tamper with the data.
Key Vulnerability Details
CVE ID: CVE-2026-32201
CVSS Score: 6.5 (Important) May appear moderate but the risk is quite high due to active exploitation.
Attack Vector: Network — Remote attack possible via the internet.
Authentication Required: No Attack can be launched without login.
User Interaction: Not required Exploit occurs automatically.
Attack Complexity: Low Not much technical knowledge required.
Affected Versions: SharePoint Server 2016, 2019 and Subscription Edition.
CWE Classification: CWE-20 (Improper Input Validation)
Status: Included in the CISA Known Exploited Vulnerabilities (KEV) List.
It would be a mistake to think that a score of 6.5 is not too bad. A CVSS score is just a number the real-world risk is much higher because it is zero-day (meaning it was exploitable before the patch) is on CISAs KEV list (meaning government agencies are also at risk) and hackers can use this vulnerability as a stepping stone to more vicious attacks.
Shadowserver Foundation Who They Are & What They Discovered
The Shadowserver Foundation is a non-profit cybersecurity research organization founded in 2004. Their mission is to make the internet safer. They both find malicious activity and share this data with governments, internet providers and security agencies around the world. This organization operates completely free of charge. It doesn’t want any companys money and it just wants the safety of the internet.
Shadowserver scans millions of IP addresses across the internet every day to find out which servers are vulnerable. When they started scanning against CVE-2026-32201 they found that 1,370+ SharePoint servers are still exposed. They send daily alerts to these organizations saying Brother your server is at risk fix it quickly. But when organizations ignore these alerts thats when major breaches occur.
Spoofing Attack Simple Example Explained
Spoofing means deceiving someone by making something appear to be something that it really is not. A simple example You work in a bank. A guy comes in and says, I’m the manager assistant. I need the keys to the locker room. You don’t check and you give him the keys and he goes in and takes all the money. This is spoofing.
In the digital world, an attacker sends a crafted request to a SharePoint server. The server thinks the request comes from a trusted source and processes it without proper verification. The attacker can view sensitive documents, alter data and display fake login pages and target users with phishing attacks. And all this happens completely authentically, making the user believe they are on their companys genuine site.
This vulnerability enables social engineering at the application level and allowing attackers to impersonate SharePoint and follow users.
The practical harm of this is imagine an employee goes to check a document on the companys SharePoint and is shown a login page. They enter their username and password, but the page is not real, but spoofed by a hacker. Now the hacker has the credentials and can infiltrate the entire organization. In this way even a vulnerability with a moderate CVSS score can lead to a catastrophic breach.
Who Is at Risk Target Organizations
This isn’t just a small issue. Microsoft SharePoint Server is used by some of the world’s largest enterprises, government agencies, universities, and healthcare organizations. Organizations that use SharePoint on premises (that is not in the cloud but on their own servers) and have it exposed to the Internet are at direct risk.
Highest-Risk Organizations
- Government departments that use SharePoint on-premises and allow external access
- Healthcare organizations where patient data is stored on SharePoint
- Universities and research institutions where sensitive academic data is accessible
- Financial services companies where confidential client data may be exposed
- Defense-related organizations Chinese state actors have targeted SharePoint servers in the past
- Every organization that uses SharePoint 2016, 2019 or Subscription Edition and has not applied the patch
Geographically the United States, Europe and East Asia have the most exposed servers because corporate SharePoint deployments are most common there. However the government and corporate SharePoint use is also common in Pakistan, India and the Middle East so organizations in these regions should also take immediate action.
April 2026 Patch Tuesday Microsoft Security Update
Patch Tuesday is a monthly routine for Microsoft in which it releases security fixes for its products simultaneously. This always happens on the second Tuesday of the month. This April 2026 update was the second-longest Patch Tuesday release in Microsoft history. A total of 163 vulnerabilities were fixed.
Security researcher ZDI made the observation that AI-powered vulnerability discovery may be a reason behind such frequent releases. Researchers are finding more vulnerabilities faster with AI tools hence the increased rate of submissions. Its an interesting and concerning trend that new holes are being discovered at the same pace as patches are released.
This release also contained several other dangerous vulnerabilities besides CVE-2026-32201 CVE-2026-33824 (Windows IKE Service, CVSS 9.8 critical), CVE-2026-33825 (Microsoft Defender Privilege Escalation) and CVE-2026-33826 (Windows Active Directory RCE). However the SharePoint zero-day received the most attention because it was already being exploited.
CISA Action US Cybersecurity Agency Response
CISA (Cybersecurity and Infrastructure Security Agency) is Americas federal cybersecurity agency that oversees the countrys digital security. Whenever a vulnerability is exploited in the real world and CISA adds it to its Known Exploited Vulnerabilities (KEV) catalog a public warning system.
CISA added CVE-2026-32201 to the KEV list on April 14, 2026 the same day Microsoft released the patch. This shows how serious the situation was. CISA also ordered Federal Civilian Executive Branch (FCEB) agencies to mandatorily apply the patch by April 28, 2026. This means government agencies had only two weeks.
If your SharePoint server is exposed to the Internet and the patch hasn’t been applied you’ve left the door open.
SharePoint Security History Previous Incidents Overview
Many people might think this is a new and unique incident but the truth is that Microsoft SharePoint has been a favorite target for hackers. Serious vulnerabilities have repeatedly occurred in SharePoint over the past few years
In July 2025 another massive attack occurred called the ToolShell attack. It used a combination of CVE-2025-49706 (Spoofing) and CVE-2025-49704 (Remote Code Execution). At that time, Chinese state sponsored hackers Linen Typhoon Violet Typhoon and Storm-2603 exploited these vulnerabilities. CISA confirmed that multiple US federal agencies and state government entities were compromised at that time.
And in 2024 CVE-2024-38094 was another SharePoint deserialization vulnerability in CISA KEV. The pattern is clear SharePoint is a high-value target and organizations that don’t apply patches repeatedly fall into this cycle. This is a warning sign that patch management shouldn’t just be a technical task and it should be an organizational priority.
What Organizations Should Do Now Emergency Response Guide
If you use SharePoint Server 2016, 2019 or Subscription Edition and it is accessible over the internet stop reading this article and apply the patch.
Step 1 Check first: Ask your IT team which SharePoint version is currently in use at your company and whether the April 2026 security update has been applied. The current version can be checked with the PowerShell command Get-SPFarm.
Step 2 Apply the patch: Microsoft has released patches for all three versions KB5002861 for SharePoint Server 2016, KB5002854 for SharePoint Server 2019 and KB5002853 for the Subscription Edition. These patches are free to download from the Microsoft Security Response Center (MSRC).
Step 3 Block Internet Exposure: If internet exposure to a server is not absolutely necessary and temporarily block external access by applying a firewall until the patch is applied. Implement WAF (Web Application Firewall) rules to filter malicious requests.
Step 4 Check the Logs: Review SharePoints access logs for unusual authentication patterns malformed HTTP requests or unwanted access attempts. If anything is positive call a professional incident response team.
Step 5 Long-term Planning: Cloud-based SharePoint Online (Microsoft 365) is not affected by this vulnerability. If resources are available and migrating from on-premises to the cloud is a long-term solution that also reduces the risk of future vulnerabilities.
Why This Is Important for Everyone
This news isn’t just tech news its a direct threat to every organization that uses SharePoint. 1,370 servers may seem like a large number but remember that behind each server are thousands of users, terabytes of data, and millions of dollars worth of information.
A compromised SharePoint server can leak confidential data from an entire company, steal employee credentials, and allow hackers to infiltrate the entire corporate network.The most regrettable thing is that all of this could have been prevented. The patch arrived on April 14th.
CISA issued a preliminary warning. Shadowserver sent daily alerts. Yet 1,370 organizations didn’t apply the patch in a week. This is a failure of patch management, and this failure makes cyber attacks possible.
As vulnerability discovery accelerates with AI tools and keeping your systems up-to-date is not just recommended its a necessity. Every delayed patch is an open window for hackers. The lessons from this incident are crucial, whether you’re an IT professional, a business owner or simply a concerned citizen.