Security researchers from The Shadowserver Foundation have identified these internet-facing systems as unpatched and vulnerable to active exploitation, putting sensitive corporate data and internal networks at risk.
The vulnerability, tracked as CVE-2026-32201, is caused by improper input validation in Microsoft SharePoint Server.
This flaw allows attackers to craft malicious requests that the server mistakenly processes as legitimate.
As a result, threat actors can bypass security controls and potentially gain unauthorized access to internal systems.
The severity of the issue has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog.
This designation confirms that the flaw is already being actively exploited in real-world attacks, making immediate patching essential for affected organizations.
According to Shadowserver’s latest scan data, exactly 1,370 unique IP addresses are still hosting vulnerable SharePoint servers.
While this number remains high, it shows some improvement compared to previous findings. On April 15, 2026, researchers reported 1,745 exposed systems, indicating that nearly 400 servers have since been patched or removed from public access.
Shadowserver continues to monitor the situation and shares daily updates through its Vulnerable HTTP reporting dashboards.
These tools provide detailed geographic insights and visual maps, helping organizations identify exposed assets and track global trends in real time.
The impact of this vulnerability is significant. Successful exploitation enables network-level spoofing, allowing attackers to manipulate how SharePoint processes requests.
This can lead to unauthorized access to sensitive documents, credential theft, or even lateral movement within corporate networks.
Security experts warn that the continued exposure of these systems highlights deeper issues in patch management practices.
Many organizations delay applying updates to avoid service disruptions, but this creates a dangerous window for attackers.
When a vulnerability is both publicly known and actively exploited, delays can quickly result in compromise.
To mitigate the risk, administrators are strongly advised to apply the latest security updates released by Microsoft through the Microsoft Security Response Center (MSRC).
In addition, organizations should review SharePoint logs for suspicious activity, including irregular input validation patterns or unauthorized access attempts.
The ongoing threat serves as a reminder that timely patching is critical to maintaining enterprise security.
As attackers increasingly target collaboration platforms like SharePoint, organizations must prioritize vulnerability management to protect their digital infrastructure.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post 1,370+ Microsoft SharePoint Servers Exposed Online and Vulnerable to Spoofing Attacks appeared first on Cyber Security News.
LEGO Batman: Legacy of the Dark Knight has received its launch trailer, and it features…
If you're looking to upgrade your home theater sound system to complement that big new…
Looking to expand your home gym on the cheap? For this week only, one of…
Cisco has issued a high-severity security advisory warning of a critical connection exhaustion vulnerability affecting…
Many Android users recently discovered that applications promising to retrieve someone else’s call logs are…
CISA has issued an urgent warning regarding a critical vulnerability in Palo Alto Networks PAN-OS.…
This website uses cookies.