Zero‑Day Spoofing Vulnerability (CVE‑2026‑32201) Exposes Over 1,300 Microsoft SharePoint Servers
What Happened – A network‑spoofing flaw (CVE‑2026‑32201) in SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition was disclosed as a zero‑day and is already being abused. Over 1,300 publicly‑exposed SharePoint instances remain unpatched weeks after Microsoft’s April 2026 Patch Tuesday.
Why It Matters for TPRM –
- The vulnerability can be exploited without user interaction, giving attackers the ability to view and modify confidential data.
- Federal agencies have been ordered to remediate within two weeks, highlighting regulatory pressure that can cascade to downstream vendors and partners.
- Unpatched on‑premises SharePoint installations are common in many supply‑chain environments, creating a lateral‑movement foothold for threat actors.
Who Is Affected – Enterprises that host on‑premises SharePoint (finance, healthcare, government, manufacturing, etc.) and any third‑party service providers that rely on SharePoint for document collaboration.
Recommended Actions –
- Verify that all SharePoint servers under your contract have applied the April 2026 security update (CVE‑2026‑32201).
- Conduct a rapid inventory of on‑premises SharePoint instances and enforce patch compliance.
- Review BOD 22‑01 guidance and ensure any cloud‑hosted SharePoint services meet the same remediation timeline.
Technical Notes – The flaw is an improper input‑validation issue that enables network spoofing without privileged credentials. Exploitation impacts confidentiality and integrity but not availability. CVE‑2026‑32201 was added to the CISA KEV catalog and is being actively exploited. Source: BleepingComputer