Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz

Claude, Gemini, and Copilot Hit by GitHub Prompt Injection

April 21, 2026
How-Does-an-AI-Native-SOC-Work-A-Step-by-Step-Guide-to-AI-Security-Operations

How Does an AI-Native SOC Work? A Step-by-Step Guide to AI Security Operations

April 22, 2026

1,370 SharePoint Servers Exposed to Spoofing Attacks

Severity

High

Analysis Summary

CVE-2026-32201 is a spoofing vulnerability affecting Microsoft SharePoint Server, caused by improper input validation (CWE-20) in the request processing component. It allows unauthenticated attackers to bypass authentication and impersonate legitimate users by sending specially crafted network requests. This enables access to sensitive organizational data and potential modification of information without requiring any credentials or user interaction. Although Microsoft rates the flaw at CVSS(Medium), its real-world impact is considered significantly more severe due to its ease of exploitation and pre-authentication nature.

The vulnerability affects on-premises deployments of Microsoft SharePoint Server versions 2016, 2019, and Subscription Edition. Microsoft disclosed the issue on April 14, 2026, as part of its Patch Tuesday release addressing 169 vulnerabilities. On the same day, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and enforcing a federal remediation deadline of April 28, 2026. This rapid inclusion highlights how quickly attackers are already leveraging the flaw against exposed systems.

Fresh telemetry from the Researcher reveals a concerning attack surface: at least 1,370 internet-facing SharePoint servers remain unpatched globally. The largest concentration is in North America (677 systems), with the United States alone accounting for 587 exposed IPs. Europe follows with 452 vulnerable systems, while Asia, Oceania, South America, and Africa collectively account for smaller but still significant exposure. These numbers indicate widespread delayed patch adoption across enterprise environments.

Despite its “medium” severity rating, the vulnerability poses high operational risk due to its network-based attack vector (AV:N), low complexity (AC:L), and absence of privileges or user interaction requirements. Exploitation can lead to credential theft, data exfiltration, unauthorized document access, and potential lateral movement within enterprise networks. Security researchers warn that its impact resembles previous large-scale SharePoint exploitation campaigns, making immediate patching and exposure reduction critical before threat actors escalate their activity further.

Impact

  • Sensitive Data Theft
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2026-32201

Remediation

  • Apply the latest Microsoft security updates released in April 2026 for Microsoft SharePoint Server (2016, 2019, Subscription Edition) immediately.
  • Ensure all internet-facing SharePoint servers are fully patched and verify patch installation success across the environment.
  • Remove or restrict public internet exposure of SharePoint servers wherever possible; place them behind VPN or reverse proxy with strong access controls.
  • Enforce strict authentication policies and monitor for unusual login patterns, session anomalies, or spoofed user activity.
  • Enable advanced logging and continuously review SharePoint and Windows event logs for suspicious request patterns or authentication bypass attempts.
  • Block or rate-limit suspicious inbound traffic at the network perimeter using WAF (Web Application Firewall) rules targeting SharePoint endpoints.
  • Regularly audit exposed assets using external scanning sources (e.g., Shadowserver reports) to identify unpatched or forgotten servers.
  • Follow CISA KEV guidance and prioritize CVE-2026-32201 remediation before the official deadline (April 28, 2026).