Skip to main content
Back to Blog
Over 1,300 SharePoint Servers Remain Vulnerable to Active Spoofing Attacks
BREACHApr 24, 20264 min read

Over 1,300 SharePoint Servers Remain Vulnerable to Active Spoofing Attacks

More than 1,300 Microsoft SharePoint servers exposed to the internet are still running without a patch for a spoofing vulnerability that attackers have been exploiting since it was a zero-day, according to a report published by BleepingComputer on April 22, 2026. The attacks are ongoing, meaning unpatched systems face real, present risk.

What happened

A spoofing vulnerability in Microsoft SharePoint was discovered and exploited in the wild before a patch was available, classifying it as a zero-day at the time of initial attacks. Microsoft has since released a fix, but a significant number of organizations have not applied it. According to BleepingComputer, over 1,300 SharePoint servers remain publicly accessible and unpatched as of late April 2026.

Spoofing vulnerabilities in server software typically allow an attacker to impersonate a trusted entity, manipulate requests, or forge responses in ways that bypass authentication or deceive users. Because this flaw is actively being abused, unpatched servers are not facing a theoretical future risk. They are targets right now.

Why this matters to small teams

SharePoint is often associated with large enterprises, but small teams and startups use it too, sometimes through Microsoft 365 business plans or as part of a broader Microsoft infrastructure inherited from a client or contractor. If your organization runs a self-hosted or organization-managed SharePoint instance, this vulnerability applies directly to you.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

Small teams tend to deprioritize patching on internal tools. When a developer or founder is focused on shipping product, updating collaboration software feels low-urgency. That mindset is exactly what attackers count on. A spoofing flaw on an internet-exposed server can be used to harvest credentials, redirect users to malicious content, or serve as a foothold into the broader network. None of those outcomes require a sophisticated attacker.

The scale of exposure here is also a signal worth paying attention to. Over 1,300 servers still unpatched weeks or months after a fix was released shows how common delayed patching is across all organization sizes. If you are unsure whether your SharePoint instance is patched, you should assume it is not until you verify.

How to stay protected

  1. Verify your SharePoint version and patch status. Log into your SharePoint admin center or server environment and confirm that the latest security updates from Microsoft have been applied. Microsoft publishes patch notes and version numbers in their Security Update Guide.

  2. Restrict public exposure where possible. If your SharePoint instance does not need to be accessible from the public internet, place it behind a VPN or restrict access by IP allowlist. Reducing the attack surface is often faster than patching and buys you time.

  3. Enable Microsoft Defender alerts for SharePoint. If you are using Microsoft 365, Defender for Office 365 includes threat detection for SharePoint activity. Make sure alerts are routed somewhere a human will actually see them.

  4. Audit which services you expose publicly. Run a scan or review of your DNS records, subdomains, and open ports to identify any services you may have forgotten are internet-facing. Forgotten infrastructure is a common source of compromise.

  5. Establish a patching cadence. Set a recurring calendar event, monthly at minimum, to review and apply security patches for all internet-facing software. This applies to SharePoint, web servers, CMS platforms, and any other software your team runs.

  6. Monitor for signs of exploitation. Review SharePoint access logs for unusual authentication patterns, unexpected user agents, or requests from unfamiliar IP ranges. Early detection limits damage even when prevention fails.

How UNPWNED helps

UNPWNED scans your public-facing web infrastructure to identify exposed services, misconfigured endpoints, and missing security controls. While our scanner focuses on web application security headers, TLS configuration, and exposed sensitive paths rather than SharePoint-specific patch levels, it can help you identify whether services are unintentionally exposed to the internet and flag security gaps that make exploitation easier. If you are unsure what your public attack surface looks like, running a scan is a practical first step before doing a deeper patch audit.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.

Source

BleepingComputer

Discussion (0)

Leave a comment

Comments are moderated. Be respectful. Spam and self-promotion will be removed.

Is your site exposed to issues like these?

SCAN YOUR SITE FREE