Three weeks after Microsoft patched CVE-2026-32201 — the actively exploited SharePoint spoofing zero-day from April's record Patch Tuesday — Shadowserver is still tracking 1,300+ internet-facing SharePoint servers that haven't applied the fix.

The technical root cause is CWE-20 (improper input validation) in SharePoint's request-handling pipeline. An unauthenticated attacker can send a crafted network request and have their data rendered as trusted SharePoint content to internal users — no privileges, no user interaction, low complexity.

What's catching my eye technically:

— Security researchers at Rapid7 and SecurityWeek are flagging that this is likely being chained with CVE-2026-33824 (Windows IKE RCE, CVSS 9.8) — which is pre-auth, network-reachable, and wormable in some configurations. That's a serious pivot chain.
— There's speculation CVE-2026-32201 is related to XSS (cross-site scripting) in SharePoint's page rendering engine, which would explain the integrity + confidentiality impact with no availability hit.
— The BlueHammer exploit (CVE-2026-33825, Defender PE, Volume Shadow Copy abuse) was also patched the same day — and these three together represent a multi-stage attack surface nobody is treating as a coordinated threat cluster yet.

For those running on-prem SharePoint (2016/2019/SE): Are you seeing anomalous Content-Type mismatches or encoded payloads in your ULS logs that might suggest probing or exploitation attempts? What's your detection coverage looking like?

I previously covered the Microsoft Entra ID AI Agent privilege escalation (same Patch Tuesday cycle, different product layer) here if you want the broader Microsoft enterprise attack surface context:
https://www.techgines.com/post/microsoft-entra-id-ai-agent-privilege-escalation-silverfort

Full technical breakdown of CVE-2026-32201:
https://www.techgines.com/post/cve-2026-32201-sharepoint-zero-day-spoofing