Over 1,300 Microsoft SharePoint Servers Remain Vulnerable to Active Spoofing Attacks
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON — More than 1,300 Microsoft SharePoint servers across the United States remain unpatched against a critical spoofing vulnerability that threat actors are actively exploiting in ongoing attacks. The unaddressed weakness, identified as an improper input validation flaw, allows attackers to manipulate network traffic and gain unauthorized access to sensitive data.
Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the non-profit research group Shadowserver have confirmed the continued exposure of these systems. The vulnerability, which was initially treated as a zero-day exploit, has been weaponized by malicious actors to conduct network spoofing operations. Despite the availability of security updates, a significant number of organizations have not yet applied the necessary patches to their infrastructure.
The flaw resides within the input validation mechanisms of SharePoint servers, a widely used enterprise collaboration platform. By exploiting this weakness, attackers can inject malicious code that tricks the server into accepting false network information. This capability enables threat actors to disguise their origin, bypass security controls, and potentially exfiltrate data from compromised networks. The attacks have been observed targeting various sectors, including government agencies and private enterprises.
CISA has issued urgent guidance urging organizations to immediately update their SharePoint environments. The agency emphasized that the vulnerability poses a severe risk to national security and critical infrastructure. Microsoft has released patches to address the issue, but the persistence of unpatched servers indicates a gap in security hygiene across many institutions. Shadowserver’s analysis indicates that the exploitation attempts are ongoing, with attackers actively scanning for vulnerable systems.
The situation highlights the challenges organizations face in maintaining up-to-date security postures. While the technical fix is available, the delay in implementation leaves networks exposed to sophisticated cyber threats. Security experts warn that the window for exploitation remains open as long as these servers remain unpatched. The scale of the exposure suggests that the vulnerability may have been exploited in incidents that have not yet been publicly disclosed.
Questions remain regarding the full extent of the data compromised during these attacks. While the technical details of the vulnerability are now public, the specific targets and the volume of stolen information are not yet fully understood. Authorities continue to monitor the situation as they work to contain the threat and assist affected organizations in securing their systems. The incident underscores the critical importance of timely patch management in the face of evolving cyber threats.