Thousands of SharePoint Deployments Still Exposed
Security researchers have identified over 1,300 internet-facing Microsoft SharePoint servers that remain unpatched against a spoofing vulnerability that was actively exploited as a zero-day before Microsoft released an official fix. Despite the patch being available since the April 2026 Patch Tuesday cycle, the majority of vulnerable deployments have not applied the update — leaving them open to ongoing attacks.
The flaw, which was exploited in the wild prior to its disclosure, allows threat actors to spoof requests to a SharePoint server, potentially enabling unauthorized access to sensitive documents, credential theft, and lateral movement within corporate networks.
What Is the Vulnerability?
The SharePoint spoofing vulnerability enables an attacker to craft malicious requests that impersonate legitimate users or services to the SharePoint server. Because SharePoint is frequently used to host sensitive business documents, HR records, financial data, and internal wikis, successful exploitation provides high-value access within enterprise environments.
| Attribute | Detail |
|---|---|
| Affected Product | Microsoft SharePoint Server |
| Vulnerability Type | Spoofing |
| Exploitation Status | Actively exploited as zero-day |
| Patch Released | April 2026 Patch Tuesday |
| Servers Still Exposed | 1,300+ (as of April 22, 2026) |
| Attack Complexity | Low (confirmed active exploitation) |
The vulnerability was included in Microsoft's April 2026 security update — part of one of the largest Patch Tuesday releases on record, which addressed 168 vulnerabilities including multiple zero-days across the Microsoft ecosystem.
Active Exploitation Continues
Threat actors began exploiting this vulnerability before Microsoft released the patch, meaning some organizations may have already been compromised. Security researchers tracking the exploitation campaign report:
- Ongoing scanning of internet-facing SharePoint servers for unpatched instances
- Credential harvesting via spoofed authentication flows
- Document exfiltration from internal SharePoint libraries accessed through spoofed sessions
- Lateral movement into on-premises Active Directory environments from compromised SharePoint servers
The attack surface is significant because many organizations expose SharePoint externally for remote employees, partners, and contractors — making unpatched instances directly reachable by threat actors without needing to breach a VPN first.
Why Are So Many Servers Still Unpatched?
SharePoint Server is a complex enterprise platform with lengthy patching cycles in many organizations. Common barriers to rapid patching include:
- Change management processes that require extended testing windows
- Custom SharePoint applications that may break with version updates
- Business continuity concerns around patching production file-sharing infrastructure mid-cycle
- On-premises vs. cloud split — SharePoint Online (Microsoft 365) receives automatic patches, but on-premises SharePoint Server requires manual administrator action
Organizations running on-premises SharePoint Server bear full responsibility for patching and are disproportionately represented in the 1,300+ exposed server count.
Who Is at Risk?
Organizations at elevated risk include those running:
- On-premises SharePoint Server with internet-facing access portals
- Hybrid SharePoint deployments mixing cloud and on-premises infrastructure
- SharePoint used as an extranet for partners, customers, or contractors
SharePoint Online (Microsoft 365 hosted) users are not affected — Microsoft automatically applied the fix to cloud-hosted instances.
Remediation Steps
Immediate Actions
- Apply the April 2026 Patch Tuesday update that addresses the SharePoint spoofing vulnerability
- Restrict external access — place SharePoint behind a VPN or Zero Trust Network Access (ZTNA) gateway if external exposure is not required
- Review SharePoint access logs for signs of spoofed session activity or unauthorized document access
- Enable modern authentication — disable legacy authentication protocols that may be exploitable without the patch applied
Detection
Organizations should inspect SharePoint server logs for:
- Authentication events with mismatched User-Agent strings or IP addresses
- Unusual document access patterns from unfamiliar accounts
- Repeated failed authentication attempts followed by sudden successful access
- Connections from IP addresses associated with known scanning infrastructureBroader Context
This exposure pattern — a known vulnerability with a patch available but thousands of servers still unpatched weeks later — reflects a persistent challenge in enterprise security. Researchers tracking CISA's Known Exploited Vulnerabilities catalog have repeatedly shown that even critical, actively exploited flaws take months or years to be remediated across all affected deployments.
Organizations with large SharePoint deployments should treat this as a Priority 1 patch given the confirmed zero-day exploitation history and the ongoing active attack campaigns documented by security researchers.