Actively exploited SharePoint spoofing bug continues to threaten over 1,300 instances

More than 1,300 internet-exposed Microsoft SharePoint servers remain vulnerable to ongoing intrusions weaponizing the zero-day spoofing flaw, tracked as CVE-2026-32201, while fewer than 200 online SharePoint instances have been fixed since last week's Patch Tuesday release, BleepingComputer reports.

North America accounted for nearly half of the vulnerable SharePoint servers, while Europe and Asia had the next highest number of exposures, according to findings from The Shadowserver Foundation. Attacks successfully exploiting CVE-2026-32201 were noted by Microsoft to potentially enable data exposure and modifications. More details on the method of exploitation and the perpetrators of abuse remain lacking. Such a development comes after federal civilian executive branch agencies were urged by the Cybersecurity and Information Security Agency to address the SharePoint flaw by Apr. 28.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," said CISA in its Known Exploited Vulnerabilities catalog entry for the bug.