April 23, 2026 Vulnerabilities

Microsoft SharePoint Zero-Day CVE-2026-32201: 1,370+ Servers Still Unpatched as Attackers Strike

Microsoft's April 2026 Patch Tuesday addressed more than 160 vulnerabilities — but the most urgent is CVE-2026-32201, a SharePoint Server zero-day already being exploited in the wild before a patch existed. Fresh scanning data shows over 1,370 internet-facing SharePoint servers remain unpatched and exposed, including systems likely operated by Australian organisations. Here is what you need to know and do right now.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

The April 2026 Patch Tuesday: A SharePoint Zero-Day Takes Centre Stage

On 14 April 2026, Microsoft released its monthly batch of security updates — and the scale was immediately notable. The April 2026 Patch Tuesday addressed more than 160 vulnerabilities across Windows, Office, SharePoint, Azure, and other Microsoft products. Eight vulnerabilities were classified Critical. Two were confirmed zero-days: flaws that had been actively exploited in the wild before Microsoft had a patch ready.

The headline vulnerability is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server. Microsoft confirmed that exploitation was observed before the patch was released on 14 April — meaning attackers had a working exploit and were using it against real targets while administrators had no patch to deploy. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog the same day, requiring all US federal civilian agencies to apply the patch by 28 April 2026.

The confirmed-exploitation designation is important context. Microsoft assigns a CVSS base score of 6.5 to CVE-2026-32201 — a score that places it in the "Important" tier rather than "Critical." On paper, 6.5 sounds manageable. In practice, a zero-day on the KEV catalog means real attackers have a working technique and are deploying it now. CVSS scores measure theoretical severity; KEV listing measures real-world urgency, and organisations that triage patches by CVSS score alone will consistently deprioritise the wrong things.

The affected products are on-premises SharePoint Server versions: SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. SharePoint Online (the cloud-hosted Microsoft 365 version) is not affected — Microsoft manages patching for its own cloud infrastructure. If your organisation runs SharePoint on your own servers or in a self-managed cloud VM, you are responsible for applying the patch.

Scanning data published by the Shadowserver Foundation shortly after the patch release found more than 1,370 internet-facing IP addresses running unpatched versions of SharePoint Server, with active exploitation confirmed against the same flaw. That number has since been confirmed by multiple independent security outlets including BleepingComputer and Cybersecurity News. The 1,370+ figure represents the global count of directly internet-exposed servers — a subset of all unpatched installations, which is almost certainly larger.

Why Australian Organisations Running SharePoint Are Directly at Risk

SharePoint Server is a common platform across Australian government, healthcare, education, legal, and financial services organisations. Many choose on-premises or self-hosted deployments specifically for data sovereignty reasons — keeping sensitive documents on infrastructure they control rather than in a US-based cloud. That is a legitimate choice. It also means those organisations are responsible for their own patching, and that responsibility includes acting within days, not weeks, when a zero-day hits the KEV catalog.

The ASD's Essential Eight framework — the Australian Signals Directorate's baseline security model for organisations of all sizes — sets explicit expectations for patch cadence. At Maturity Level 1, organisations should patch applications with publicly known vulnerabilities within one month. At Maturity Level 2, that window tightens to two weeks for internet-facing services. At Maturity Level 3, critical patches to internet-facing services should be applied within 48 hours of release. CVE-2026-32201 is confirmed exploited and on the CISA KEV list — any reasonable reading of the Essential Eight places this in the "patch immediately" category regardless of your target maturity level.

The risk is not theoretical. CVE-2026-32201 allows an unauthenticated attacker — someone with no existing credentials or network account — to perform spoofing attacks against SharePoint. In practice, this means an attacker can impersonate legitimate users, access documents and data those users are authorised to view, and manipulate information stored in SharePoint. For an organisation whose SharePoint instance contains contracts, HR records, financial data, health records, or client files, the confidentiality and integrity implications are serious.

The compliance angle matters too. Under Australia's Notifiable Data Breaches (NDB) scheme, organisations are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. If SharePoint is breached and personal information is accessed — names, contact details, financial information, health information — that likely triggers an NDB notification obligation. The NDB scheme does not have a "we didn't patch in time" exemption. Failing to apply a known patch for a known zero-day would be difficult to characterise as reasonable steps to protect the data, which is the NDB scheme's test.

SharePoint frequently functions as an intranet hub — the same server that hosts external documents may also hold internal process guides, credentials stored in documents, or network diagrams. A successful spoofing attack is rarely the final objective; it is a stepping stone to deeper access.

Technical Detail: CVE-2026-32201 and the Other Critical Flaws in April's Batch

CVE-2026-32201 is classified as an improper input validation vulnerability (CWE-20) in Microsoft Office SharePoint Server. The flaw exists in how SharePoint processes certain network requests: by sending a specially crafted request, an unauthenticated remote attacker can bypass authentication checks and perform spoofing — effectively impersonating a legitimate authenticated user without knowing their credentials.

The pre-authentication nature of this exploit is what makes the CVSS 6.5 score misleading to anyone not reading the full technical details. Most authentication bypass vulnerabilities require at least some initial foothold. CVE-2026-32201 does not. Any network-reachable SharePoint server — whether directly internet-facing or accessible from within a local network — is a potential target. The "network" attack vector in the CVSS scoring means the attacker does not need physical or local access; a network connection is sufficient. The low attack complexity rating means no specialised conditions or prior knowledge of the target environment are required.

When exploitation succeeds, the attacker gains the ability to view sensitive information the impersonated user is authorised to access, and to make changes to that information. Microsoft's advisory notes impacts to both confidentiality and integrity, with availability not directly affected by this specific flaw. That said, "availability not affected" does not mean impact is contained — credential theft, document exfiltration, and the planting of malicious content within SharePoint for subsequent access by legitimate users are all plausible follow-on actions.

CVE-2026-33824 — Windows IKE Service Extensions (CVSS 9.8: Critical)

Beyond SharePoint, the April 2026 Patch Tuesday included flaws that warrant attention even though they did not ship as confirmed zero-days. CVE-2026-33824 affects the Windows Internet Key Exchange (IKE) Service Extensions with a CVSS score of 9.8 — one of the highest possible ratings. The vulnerability is a double-free memory corruption flaw that allows an unauthenticated remote attacker to execute arbitrary code on an affected system without any user interaction. IKE is a component used in VPN and IPSec connections, meaning IKE-enabled systems with internet-reachable ports are potential attack surfaces. A CVSS 9.8 with no user interaction and unauthenticated exploitation is, by any measure, a "patch within 48 hours" situation.

CVE-2026-33827 — Windows TCP/IP Stack (CVSS 8.1: Critical)

CVE-2026-33827 is a race condition vulnerability in the Windows TCP/IP stack, rated CVSS 8.1. As with CVE-2026-33824, this flaw allows an unauthenticated remote attacker to execute arbitrary code without user interaction by exploiting the race condition in the TCP/IP implementation. Any Windows system with internet-facing network ports is theoretically in scope. Race conditions in network stacks have a history of being reliably exploitable with the right tooling, and the absence of a confirmed zero-day status at time of publication is not a guarantee of safety — it simply means no public exploitation had been documented at patch release.

The Elevation of Privilege Trend

CrowdStrike's April 2026 Patch Tuesday analysis noted that 93 of the roughly 164 patches — approximately 57% — addressed elevation of privilege vulnerabilities. This disproportionate share is a signal worth reading: elevation of privilege flaws are most useful to an attacker who already has a foothold inside a system and needs to escalate from a limited user account to SYSTEM or administrative access. A month dominated by EoP patches suggests that attackers are actively post-compromising Windows environments and that Microsoft's internal telemetry is detecting this activity at scale. For Australian IT teams, the practical takeaway is to treat April's EoP patches with the same urgency as the headline zero-days.

What Australian IT Teams Must Do Right Now

1. Apply the April 2026 cumulative update to all SharePoint Server instances immediately. Microsoft released the patch on 14 April 2026. If your SharePoint Server 2016, 2019, or Subscription Edition has not received this update, it is currently vulnerable to a confirmed, actively exploited zero-day. There is no workaround or configuration mitigant that substitutes for the patch — apply it.

2. Identify and audit all SharePoint deployments in your environment. For many organisations, the harder problem is not applying a patch — it is knowing how many SharePoint instances exist and who manages each one. Shadow IT SharePoint deployments, servers stood up for specific projects and then forgotten, and inherited infrastructure from acquisitions are common in mid-sized Australian organisations. If you do not have a current inventory of your SharePoint instances, start there.

3. Check internet exposure. CVE-2026-32201 is a network-reachable vulnerability — any network-reachable SharePoint server is at risk, not only internet-facing instances. However, directly exposed servers carry the highest immediate risk. The Shadowserver Foundation's scanning data has tracked over 1,370 exposed, unpatched instances globally. Direct internet exposure should be eliminated where not operationally required; SharePoint should sit behind a reverse proxy or VPN gateway with strict access controls.

4. Treat any unpatched SharePoint as potentially compromised and investigate accordingly. If your SharePoint Server was internet-accessible and unpatched between 14 April and today, you cannot assume it was not targeted. Review SharePoint access logs for unusual authentication events, unexpected document access, or permission changes. Look for new accounts, altered site configurations, or documents that have been modified in unexpected ways. If you find indicators of compromise, do not patch and move on — engage forensic investigation first.

5. Reset credentials exposed through SharePoint. CVE-2026-32201 allows an attacker to access data as an impersonated user. That data frequently includes documents containing credentials — passwords stored in text files, spreadsheets, or documents; API keys; SSH keys; and service account details. If your SharePoint instance held any documents containing credentials and was potentially exposed, those credentials must be treated as compromised and rotated immediately.

A dedicated password manager eliminates the need to store credentials anywhere that is not designed for that purpose. One of the most persistent problems in Australian SMB environments is credentials stored in SharePoint documents, spreadsheets, or chat logs — a practical workaround in the absence of better infrastructure, but one that turns a SharePoint breach into a credential breach across every system those passwords protect. NordPass generates strong, unique credentials for every account, stores them in an encrypted vault, and makes them available across devices without exposing them in documents, spreadsheets, or chat logs. For teams currently sharing credentials via SharePoint documents, migrating to NordPass provides both a security improvement and a practical alternative that does not require a behaviour change in how credentials are accessed — just where they are stored.

Beyond the Patch: Building a Security Posture That Does Not Depend on Patch Speed

The CVE-2026-32201 situation illustrates a structural problem with patch-centric security strategies: by the time a patch exists, exploitation has already begun. The zero-day window — the period between when an attacker discovers a vulnerability and when a patch becomes available — is entirely outside the organisation's control. What organisations can control is the attack surface available to an attacker who reaches their network, and the damage that follows if exploitation occurs.

Reduce the attack surface of internet-facing services. SharePoint Server should not be directly reachable from the internet without multiple layers of protection. A reverse proxy or web application firewall at the perimeter means that even a vulnerable SharePoint backend is not directly addressable. A VPN or zero-trust access gateway means that only authenticated, authorised users can even attempt to reach the SharePoint authentication layer. Neither of these controls eliminates CVE-2026-32201 — they reduce the number of attackers who can attempt to exploit it. Combined with patching, they form a meaningful defensive layer.

Implement network segmentation. Even if an attacker successfully exploits CVE-2026-32201, network segmentation limits their ability to move laterally. A SharePoint server that can reach your financial systems, HR database, and backup infrastructure over the internal network is a higher-value target than one that sits in an isolated segment with only the access it operationally requires. The ASD's Essential Eight includes restricting administrative privileges as a core control precisely because lateral movement depends on finding accounts with broad access. Limit what your SharePoint service accounts can reach.

Enable multi-factor authentication on all accounts with SharePoint access. CVE-2026-32201 allows user impersonation at the SharePoint layer, but MFA enforced at the identity provider level (Azure AD / Entra ID, on-premises AD FS) means that reaching other systems as the impersonated user still requires a second factor the attacker does not have. MFA at the application layer alone is insufficient; enforce it upstream.

Teams that have moved to NordPass for team credential management report that the shift from shared documents to a managed vault reduces both the credential-sprawl problem and the time spent on credential resets after incidents. When a breach occurs, the scope of exposed credentials is limited to what the vault contained — and the vault is not a SharePoint document. NordPass supports team vaults, item sharing between specific members, and audit logs showing who accessed what and when — capabilities that matter during post-incident forensics.

Subscribe to ACSC alerts and CISA KEV updates. The fastest way to know about actively exploited vulnerabilities is to be on the mailing lists of the agencies that track them. The Australian Signals Directorate's ACSC publishes alerts and advisories at cyber.gov.au. CISA's KEV catalog is updated regularly and is publicly accessible. For organisations without a dedicated security operations function, these free government resources provide a reliable signal about what needs to be prioritised. Subscribing to ACSC alerts is the minimum viable threat intelligence programme for any Australian SMB.

The April 2026 Patch Tuesday is a reminder that Microsoft's monthly update cycle is not a security strategy — it is the floor. The organisations that escaped CVE-2026-32201 exploitation were not simply faster at patching. They were the ones whose SharePoint instances were not directly internet-reachable, whose credential hygiene contained the blast radius, and whose monitoring caught anomalous access early. Patching is necessary. It is not sufficient.