Over 1,300 SharePoint Servers Still Exposed — And Actively Targeted
If your organization runs on-premises Microsoft SharePoint, this is not a “read later” item.
More than 1,300 SharePoint servers are still exposed online and unpatched against a vulnerability that’s already been exploited in the wild. That number comes from Shadowserver monitoring data — and it’s only counting what’s publicly visible.
What’s the vulnerability?
The issue is tracked as CVE-2026-32201, a spoofing vulnerability affecting:
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Microsoft patched it in April 2026, but flagged it as a zero-day — meaning attackers were already exploiting it before the fix was available.
What attackers can actually do
This isn’t just theoretical risk. Successful exploitation allows an attacker to:
- Access sensitive information
- Modify data within SharePoint
- Operate without authentication
- Launch low-complexity attacks (no user interaction required)
In plain terms: they don’t need credentials, and they don’t need your users to click anything.
Why this matters more than usual
CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog immediately — which is a strong signal.
When something lands in KEV:
- It’s already being used in real attacks
- It’s considered high-risk for enterprise environments
- Federal agencies are required to patch on a deadline (in this case: two weeks)
That same urgency applies to private businesses — whether it’s enforced or not.
The bigger pattern
This isn’t just about SharePoint. We’re seeing a consistent shift:
- Attackers are targeting core business platforms (SharePoint, VPNs, firewalls, RMM tools)
- Exploits require less effort (low complexity, no user interaction)
- Exposure windows are shrinking — attackers scan within hours of disclosure
And yet, patch adoption is still lagging.
The real risk isn’t the vulnerability — it’s the delay
Shadowserver reported that fewer than 200 systems were patched in the first week after release.
That gap — between patch release and patch deployment — is where attackers live.
What IT teams should do this week
If you run SharePoint on-prem:
- Patch immediately using Microsoft’s April 2026 updates
- Confirm external exposure — SharePoint should not be internet-facing unless absolutely required
- Review logs for unusual activity over the past 2–3 weeks
- Validate access controls — especially service accounts and integrations
- Check for persistence — if exploited, assume attackers may have left access behind
If you’re unsure whether you’re exposed, that’s the first problem to solve.
For business owners: what to ask your IT team
You don’t need to understand SharePoint internals. Just ask:
- Are we running on-prem SharePoint?
- Has CVE-2026-32201 been patched?
- Was it exposed to the internet at any point?
- Have we checked logs for suspicious activity?
If any answer is unclear, that’s where to focus.
Bottom line
This is a textbook example of modern attacks:
- Known vulnerability
- Active exploitation
- Patch available
- Large number of systems still exposed
The difference between “we’re fine” and “we had an incident” is often just how quickly you patched.
