A critical zero-day vulnerability in Microsoft SharePoint is being exploited in the wild right now, and more than 1,300 servers remain exposed to the public internet with no patch applied. The flaw, tracked as CVE-2026-32201, lets an attacker execute arbitrary code on a SharePoint server remotely, without logging in, without any user clicking a link, and without any privileges whatsoever.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog in May 2026, confirming that federal analysts have credible evidence of active exploitation. That designation triggers a binding remediation deadline for all civilian federal agencies and serves as an urgent signal for every organization running SharePoint on-premises.
Why this vulnerability is unusually dangerous
The National Vulnerability Database entry spells out the worst-case combination. The CVSS v3.1 vector string, submitted by Microsoft itself as the CVE Numbering Authority, specifies a network-based attack vector, privileges required set to “none,” and user interaction set to “none.” In plain terms: anyone on the internet who can reach a vulnerable SharePoint instance can run code on it. No stolen credentials needed. No phishing email required.
That profile sits at the very top of most risk-scoring frameworks because it can be weaponized at scale with minimal effort. Automated scanning tools can identify exposed SharePoint servers and fire off exploit payloads in minutes, turning even short patching delays into real breaches.
SharePoint is not a peripheral system. It typically stores sensitive corporate documents, personnel records, internal communications, and project data. Gaining code execution on a SharePoint server hands an attacker a foothold deep inside the network, well past perimeter defenses, with access to the kind of data that fuels ransomware extortion and espionage campaigns alike.
What the federal record confirms
Two primary federal sources anchor the known facts. The National Institute of Standards and Technology maintains the NVD as the authoritative U.S. government repository for vulnerability data, and its scoring is derived directly from the vector string Microsoft submitted. The KEV catalog adds a second layer of institutional validation: CISA does not list a vulnerability without evidence that real-world exploitation is already occurring, not just a theoretical proof of concept.
Together, those two records confirm both the technical severity and the operational urgency. For defenders, that combination should be enough to act on, even while some details remain incomplete.
What is still unclear
Several important questions do not yet have authoritative answers.
Affected versions. Microsoft acknowledged the vulnerability through the standard CVE process, but no public advisory from the company has specified which SharePoint editions are vulnerable. On-premises deployments of SharePoint Server 2016, 2019, and Subscription Edition are the most likely candidates based on typical CVE scoping, but that has not been confirmed. Whether SharePoint Online, the cloud-hosted version included in Microsoft 365, is affected is also unaddressed in public documentation reviewed as of late May 2026.
Patch availability. The NVD listing does not include a vendor advisory link with granular remediation guidance. Administrators should monitor Microsoft’s Security Update Guide directly for an official patch release, as that portal is the primary distribution channel for SharePoint security updates.
Who is exploiting it. CISA’s KEV entry confirms active exploitation but does not publicly attribute the activity to a named threat group or disclose which sectors have been targeted. Without that detail, defenders cannot easily prioritize based on industry-specific risk, and it remains unclear whether the exploitation is opportunistic and broad or narrowly aimed at high-value targets.
The 1,300-server exposure count. That figure originates from third-party internet scans reported in security media, not from an official census by CISA, Microsoft, or a recognized scanning organization such as the Shadowserver Foundation. Internet-facing scan counts shift daily as administrators patch or take systems offline, so the number should be treated as a directional snapshot rather than a precise, current total.
What defenders should do right now
Waiting for perfect information is the wrong move here. The NVD and CISA have provided enough signal to justify immediate action. The following steps apply whether or not a vendor patch is available yet.
Check external exposure. Run perimeter scans and review firewall rules to determine whether any SharePoint instance is reachable from the public internet. If it is, restrict inbound access immediately. Place SharePoint behind an authenticated reverse proxy or VPN if the service must remain available to remote users.
Monitor for a patch. Watch Microsoft’s Security Update Guide and CISA’s KEV entry for updated remediation deadlines. Organizations subject to the federal binding operational directive should already have remediation timelines in motion. Private-sector teams that treat KEV entries as advisory rather than mandatory risk falling behind.
Add behavioral detections. Security operations teams should look for anomalous SharePoint process behavior, unusual service account activity, and unexpected outbound connections originating from collaboration servers. Even without a fully documented exploit chain, these signals can surface early-stage compromise.
Streamline emergency patching. Organizations that require lengthy change-management approval cycles for production systems may need a fast-track pathway specifically for KEV-listed vulnerabilities. Pre-agreed criteria that let security patches and compensating controls move faster than routine updates can shave days off the exposure window. Clear communication from security leaders to business stakeholders about what a KEV designation means can help justify temporary downtime or access restrictions.
The exposure window is where the damage happens
The gap between a vulnerability’s addition to the KEV catalog and widespread patch adoption is where most breaches occur. For CVE-2026-32201, that window is especially dangerous because the flaw requires no credentials and no user action. Every day an unpatched, internet-facing SharePoint server stays online is another opportunity for attackers to gain a beachhead inside a target network.
History offers uncomfortable precedent. Previous SharePoint vulnerabilities, including CVE-2023-29357 and CVE-2024-38094, followed a similar pattern: public disclosure, confirmed exploitation, and then a long tail of organizations that patched too slowly and paid the price. The technical profile of CVE-2026-32201, with its zero-privilege, zero-interaction attack path, suggests the stakes this time are at least as high.
Defenders who treat the NVD and CISA records as the floor for action, rather than waiting for a complete picture, will close that window fastest. The facts already on the record justify moving now.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
