More than 1,300 Microsoft SharePoint servers exposed to the internet remain unpatched against a spoofing vulnerability that is currently being used in active attacks, according to bleepingcomputer.com.
The security flaw, tracked as CVE-2026-32201, affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Attackers can exploit an improper input validation weakness to perform network spoofing. This low-complexity attack requires no user interaction and can be executed by threat actors without existing privileges.
Microsoft stated that successful exploitation allows attackers to view sensitive information and change disclosed data, though it cannot limit access to the resource.
Federal agencies ordered to patch
Internet security watchdog Shadowserver reported Tuesday that fewer than 200 systems have been patched since Microsoft released security updates last week.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
CISA ordered Federal Civilian Executive Branch (FCEB) agencies to patch their SharePoint servers by April 28. This mandate follows the agency's Binding Operational Directive 22-01.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned.
The agency instructed federal departments to apply vendor mitigations or discontinue use of the product if mitigations are unavailable.
Microsoft originally released patches for the flaw as part of its April 2026 Patch Tuesday. While the company confirmed the vulnerability was a zero-day, it has not linked the ongoing malicious activity to a specific hacking group.
