Microsoft SharePoint Flaws Expose Internet-Facing Servers to Spoofing and RCE Risk
More than 1,370 internet-facing Microsoft SharePoint servers were reported exposed to active exploitation of CVE-2026-32201, a spoofing vulnerability affecting SharePoint Server 2016, 2019, and Subscription Edition. Microsoft disclosed the flaw in April and CISA added it to the Known Exploited Vulnerabilities catalog the same day, underscoring the urgency for defenders. Although Microsoft scored the bug at CVSS 6.5, the risk is elevated because it can be exploited remotely without authentication against exposed on-premises deployments, potentially allowing attackers to impersonate users, access or alter sensitive content, steal credentials, and move laterally inside victim environments.
The exposure comes amid broader concern over SharePoint security, including Microsoft's disclosure of CVE-2026-26106, a remote code execution vulnerability in SharePoint Server, and earlier reporting that a China-linked threat actor was involved in SharePoint attacks, according to Mandiant. The concentration of exposed systems was highest in the United States, and the combined reporting points to sustained attacker interest in SharePoint as a route into enterprise networks. Organizations were urged to apply Microsoft's available updates, reduce direct internet exposure of SharePoint servers, and closely monitor authentication and document-access activity for signs of compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA remediation deadline set for federal agencies
CISA set an April 28, 2026 deadline for U.S. federal civilian agencies to remediate CVE-2026-32201 after cataloging it as actively exploited. The deadline underscored the urgency of patching or otherwise mitigating exposed SharePoint deployments.
More than 1,370 internet-facing SharePoint servers remain exposed
Shadowserver Foundation data showed that over 1,370 internet-facing SharePoint servers were still vulnerable to CVE-2026-32201 despite patches being available. The exposed systems were distributed globally, with the United States accounting for the largest share.
Microsoft discloses CVE-2026-32201 and CISA adds it to KEV
Microsoft disclosed SharePoint Server spoofing vulnerability CVE-2026-32201 on April 14, 2026, and CISA added it to the Known Exploited Vulnerabilities catalog the same day due to active exploitation. The flaw affects SharePoint Server 2016, 2019, and Subscription Edition.
Microsoft releases SharePoint fix for CVE-2026-26106
Microsoft published a Security Update Guide entry for CVE-2026-26106, a SharePoint Server remote code execution vulnerability. This marks a SharePoint security update being made available by Microsoft.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Zero-Day SharePoint Server Flaws Trigger Emergency Patching and KEV Action
Microsoft issued emergency guidance after attackers exploited zero-day flaws in on-premises **Microsoft SharePoint Server** in campaigns that hit businesses and at least some U.S. government agencies. In one wave, researchers tracked a variant of `CVE-2025-49706` dubbed **"ToolShell,"** warning it could grant full access to SharePoint file systems and connected Microsoft services such as Teams and OneDrive. Microsoft said **SharePoint Online** was not affected, while fixes were released for SharePoint Server 2019 and Subscription Edition and a SharePoint Server 2016 patch was still pending at the time of reporting. U.S. CISA later added another actively exploited SharePoint zero-day, `CVE-2026-32201`, to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to remediate it under **BOD 22-01**. Security firms including Eye Security, CrowdStrike, Google Threat Intelligence Group, and Palo Alto Networks warned that internet-facing SharePoint deployments in government, education, healthcare, and large enterprises face elevated risk, with defenders urged to patch quickly, isolate exposed servers if needed, rotate cryptographic material, and engage incident response support where compromise is suspected.
May 25, 2026
Microsoft Discloses Two SharePoint Remote Code Execution Vulnerabilities
Microsoft published security advisories for **CVE-2025-49704** and **CVE-2025-49701**, identifying both flaws as **Microsoft SharePoint Remote Code Execution** vulnerabilities. The entries were added to the Microsoft Security Update Guide, indicating that SharePoint deployments are affected by vulnerabilities that could allow code execution on targeted systems. The advisories provide formal tracking for two separate SharePoint RCE issues and signal that organizations running Microsoft SharePoint should review the associated update guidance and remediation information for both CVEs. The dual disclosure highlights concurrent risk in a widely used enterprise collaboration platform and raises the urgency for defenders to assess exposure across SharePoint environments.
Jun 12, 2026
Microsoft patched multiple Exchange and SharePoint remote code execution flaws
Microsoft disclosed and patched several **remote code execution** vulnerabilities affecting **Exchange Server** and **SharePoint Server**, including Exchange flaws tracked as `CVE-2023-21706`, `CVE-2023-28310`, and `CVE-2023-36439`, alongside SharePoint issues `CVE-2026-33110`, `CVE-2026-33112`, and `CVE-2026-40368`. The SharePoint vulnerabilities were tied to **deserialization of untrusted data** and were rated **Important**, with CVSS scores of **8.8** for `CVE-2026-33110` and `CVE-2026-33112`, and **8.0** for `CVE-2026-40368`. Microsoft said `CVE-2026-33110` could let an authenticated attacker with at least **Site Member** permissions execute code remotely on a vulnerable SharePoint Server, while `CVE-2026-33112` required at least **Site Owner** privileges to inject and run arbitrary code. For `CVE-2026-40368`, exploitation involved a client connecting to a malicious server, potentially leading to code execution on the client. Microsoft reported that the SharePoint flaws were **not publicly disclosed** and **not exploited in the wild** at publication, assessed exploitation as less likely, and released fixes, including a shared KB update for **SharePoint Server 2016** and **SharePoint Enterprise Server 2016**.
May 25, 2026