On April 14, 2026, Microsoft's Patch Tuesday included CVE-2026-32201. By the same afternoon, CISA had added it to the Known Exploited Vulnerabilities catalog and set a federal remediation deadline of April 28. As of this week's Shadowserver Foundation scan, more than 1,370 internet-facing SharePoint servers are still unpatched and still exposed.
We are five days away from the deadline. Some of those servers belong to Fortune 1000 companies. Some belong to government agencies. Some, almost certainly, are already compromised.
What Is Actually Broken
CVE-2026-32201 is a spoofing vulnerability in Microsoft Office SharePoint Server's request processing component, rooted in improper input validation (CWE-20). By sending a specially crafted network request, an unauthenticated remote attacker can bypass authentication checks and impersonate legitimate users. From there the attacker can read documents the real user can read, and write documents the real user can write.
The affected products are SharePoint Server 2016, 2019, and Subscription Edition — the on-premises line. SharePoint Online on Microsoft 365 is not in scope. This is a very important detail, because on-premises SharePoint tends to be deployed inside environments that have the least tolerance for patching downtime: government, regulated industries, manufacturing, healthcare, and legal. Ironically, the organizations with the most sensitive SharePoint content are the ones most likely to still be running vulnerable versions at this hour.
Microsoft has confirmed exploitation in the wild. The vulnerability is already being integrated into commodity attack tooling, not just targeted operations.
Why Spoofing Is Scarier Than RCE Here
When security practitioners hear "spoofing, medium severity, not remote code execution," the instinct is to deprioritize. That instinct is wrong for this specific vulnerability, for three reasons.
First, SharePoint is an authentication target. It sits in the middle of the identity and document trust fabric for most large enterprises. If an attacker can convincingly impersonate an arbitrary user, they can exfiltrate documents, request password resets via internal workflows, approve or reject access requests, and quietly alter records. These are all catastrophic outcomes that do not require code execution.
Second, SharePoint is highly integrated. Its data flows into Teams, Outlook, Power Automate, and dozens of third-party connectors. An authentication break in SharePoint is often an authentication break in the entire Microsoft-centric collaboration estate.
Third, this is not an isolated event. The same Patch Tuesday addressed 163 CVEs, including a previously disclosed BlueHammer-like Defender elevation of privilege and a wave of SharePoint-adjacent issues. An attacker who gets spoofed access via CVE-2026-32201 is not going to stop there — they are going to chain it.
Why 1,370 Servers Have Not Patched
The Shadowserver numbers are worth sitting with. Five days before a US federal deadline for a confirmed-in-the-wild vulnerability, over thirteen hundred public-facing SharePoint instances remain vulnerable. This is not a technical failure — the patch exists, it works, and it is free. This is an organizational failure.
Some of those organizations do not know they run SharePoint. Some do, but they outsource operations to a managed service provider that is not paid to patch on vendor timelines. Some are running heavily customized SharePoint farms where every patch carries a real risk of breaking a workflow that an executive depends on. Some, most honestly, simply do not have anyone whose job it is to monitor CISA KEV and act on it.
This is a preview of the biggest untold cybersecurity story of 2026: visibility, not capability, is now the binding constraint. Most organizations have the tools to fix this. Most organizations do not know they need to.
My Take
If I had to pick one vulnerability from the last six months to explain to a non-technical board, it would be CVE-2026-32201. Not because it is the most severe — it isn't — but because it is the most representative. It is a medium-severity flaw in a boring, widely deployed enterprise product, exploitable without authentication, already being used, publicly catalogued, with a free fix available, and still unpatched on thirteen hundred internet-facing servers five days before a federal deadline.
That is not a story about Microsoft. That is a story about the slow, quiet decay of operational discipline in enterprise IT. Every organization reading this has a SharePoint, or a SharePoint-shaped equivalent — an old Exchange, an aging Oracle, a forgotten Jenkins. The exact CVE number will be different next month. The underlying pattern, sadly, will not.
If your team does not have a named human who watches CISA KEV and owns the clock against those deadlines, you are statistically one of the 1,370. Pick that person this week, before the next Tuesday.