1,300 SharePoint Servers Are Still Spoofable as the CISA Deadline Hits

April 28, 2026 was the day every U.S. federal civilian agency was required to have patched CVE-2026-32201, an actively exploited spoofing vulnerability in Microsoft SharePoint Server. As of the deadline, internet-facing scans showed that more than 1,300 SharePoint servers were still vulnerable. If you operate any version of SharePoint on-premises in 2026, this is not a "patch when convenient" item — it is the most important Tuesday-morning task on your calendar.

1. What CVE-2026-32201 Is

CVE-2026-32201 is an improper-input-validation flaw that lets an unauthenticated remote attacker perform spoofing over the network against SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The CVSS base score is 6.5 — Important, not Critical — and that lower number is exactly why it has been quietly devastating. It does not look as scary as a 9.8 RCE on a slide. But it is being weaponized in the wild, and Microsoft confirmed exploitation when it shipped the patch on April Patch Tuesday.

2. Why "Spoofing" Is More Dangerous Than It Sounds

Spoofing in SharePoint terms means an attacker can convince the server, or convince other users via the server, that requests, files, or notifications come from a trusted identity when they don't. In a corporate intranet that runs on SharePoint, that means: forged links pointing to attacker-controlled documents that look like internal HR memos; phishing payloads delivered through the SharePoint UI itself, which users have been trained to trust; identity-impersonating notifications that bypass standard email-based phishing detection because they never touch email. This is not a "view some sensitive data" bug. This is a foothold-and-pivot bug, and it is exactly the kind of weakness used to build the high-impact intrusion chains we saw in 2025.

3. Why So Many Servers Are Unpatched

SharePoint on-prem is one of the longest-tail enterprise products in existence. Many organisations run a 2016 or 2019 instance because they cannot move their custom workflows to SharePoint Online. These servers are often owned by line-of-business teams, not central IT; they live behind a VPN that everyone assumes is "internal", even though increasingly it is reachable through partner networks, contractor laptops, and forgotten public-facing reverse proxies. Shadowserver and other scanners can already see roughly 1,300 of them, and that count almost certainly understates the real exposure once you include private corporate networks.

4. The Full April Patch Tuesday Picture

Microsoft addressed 164 to 169 vulnerabilities (counts vary by source) including a publicly disclosed second zero-day, a Microsoft Defender privilege-escalation flaw (CVE-2026-33825, CVSS 7.8), and a chilling 9.8 unauthenticated remote code execution vulnerability in the Windows IKE Service Extensions (CVE-2026-33824). The IKE flaw lets an attacker execute code by sending crafted packets to systems with IKEv2 enabled. If you are running a Windows VPN endpoint, that is the second item on today's checklist; if you are running SharePoint and a Windows VPN endpoint, you are inside the worst overlap of this month's patch cycle.

5. What "Remediated" Actually Means Here

Patching is necessary but not sufficient. SharePoint exploitation typically leaves three artefacts to hunt for after you patch: anomalous OAuth or app-only token requests, web shell drops in _layouts, and unusual outbound traffic from the SharePoint application pool identity. Run the IOC sweep your SOC built for the 2025 ToolShell exploits — most of the same artefact families apply here. If you cannot patch immediately because of a SharePoint 2016 dependency that breaks under the cumulative update, the mitigations are: enable AMSI integration, restrict SharePoint to SAML or modern auth only, and front the server with a WAF rule that blocks the request patterns Microsoft published in its advisory.

6. Operational Lessons

First, CVSS lies — or rather, CVSS describes a vulnerability in isolation, and your environment is not isolated. CVE-2026-32201 is "Important" by score, "Critical" by exploitation, and "Existential" inside an environment where SharePoint is the primary collaboration platform. Treat the KEV catalog as the authoritative priority signal, not CVSS. Second, the FCEB deadline is a useful pace-setter for non-federal organisations too. CISA picked April 28 because that is the latest defensible date given known exploitation; private-sector defenders are operating against the same threat actors with the same tooling. Third, the existence of a publicly disclosed sibling CVE (Microsoft revised its advisory on CVE-2026-32202 the same day, April 28) is a strong hint that the underlying class of bug — improper input validation in SharePoint's identity-aware URL handling — has more siblings to come. Plan for the next one before it is announced.

My Take

I think the SharePoint zero-day is the most under-rated security story of the month, precisely because it does not have a 9.8 score next to it. Detection and response teams calibrate on Critical CVSS numbers; the people who run the targeted servers calibrate on whether their ticket is in this sprint. A 6.5 in active exploitation, with a CISA deadline, with 1,300 visible unpatched servers, exposes the gap between scoring systems and reality. The right response is institutional, not technical: every CISO should have a standing rule that anything CISA adds to KEV is patched within 14 days regardless of CVSS, and that SharePoint on-prem instances are scanned weekly by an external attack-surface tool. The technical patch is easy. Building the muscle memory to deploy it within the deadline window is the hard part — and that muscle memory is what the next, inevitable round of SharePoint disclosures will test.