A week ago, we sat down with our Security Analyst, Kyle Farr, to talk about a critical SharePoint Remote Code Execution vulnerability that was being actively exploited. The intention was to alert our audience, give them a sense of the severity, and walk them through what to do.
This week, we are sitting down again. Same topic. Same platform. Different CVE.
If it feels like SharePoint vulnerabilities are starting to look less like isolated incidents and more like a recurring pattern, you are not imagining it. And the numbers behind this latest one tell a story every business owner running on-premises SharePoint needs to hear.
What is happening this time?
Microsoft has disclosed a new spoofing vulnerability affecting SharePoint Enterprise Server 2016, 2019, and Subscription Edition. CISA added it to their Known Exploited Vulnerabilities catalogue the same day the patch was released, and ordered US federal agencies to patch by 28 April 2026.
As of this week, researchers have identified 1,370 SharePoint servers still publicly exposed and unpatched, more than a week after Microsoft released the fix.
And as Kyle pointed out in our conversation, that number is almost certainly understated.
"The numbers are maybe a little under-reported, because as much as they picked up 1,370 publicly available servers, there's still going to be a lot more out there that are publicly available. They just have one or two extra levels of protection. So they're not allowed to be found by these automatic scanners." — Kyle Farr, Security Analyst at GTconsult
Spoofing vs Remote Code Execution: what is the difference?
The previous vulnerability was a Remote Code Execution flaw, which means an attacker could run any code they wanted on the system. Last week's vulnerability is described as a spoofing vulnerability, which sounds less alarming, but is worth understanding properly.
Spoofing is when an attacker disguises something to appear as a legitimate source. The most familiar example is an email that looks like it came from Microsoft, with the right branding, the right tone, and a subtly altered domain that the human eye glosses over. In the case of a SharePoint server, spoofing means an attacker can impersonate a legitimate user without actually being one.
This particular CVE has a CVSS score of 6.5, which sits in the medium severity bracket. Compared to last week's 9.8, it might feel like one to relax about. But Kyle was clear that the severity score reflects how easy the attack is to pull off in isolation, not the damage it can cause when combined with other exposures.
"It's not instantly taking control, but it's allowing people to do things they shouldn't be able to do, which can lead to them getting control." — Kyle Farr
Why are so many servers still unpatched?
It is tempting to look at 1,370 unpatched servers and assume those organisations are simply not paying attention. The reality is more nuanced.
For organisations running large or complex SharePoint environments, applying a patch is not a single click. It often involves a structured release process: testing the patch in a staging environment, validating that it does not break existing integrations, and pushing it through a formal change management board for approval. In heavily regulated industries, that approval chain alone can take weeks.
That does not mean exposure is acceptable. It means the patching window is a known risk that needs interim controls, not a comfortable excuse.
Who is actually at risk?
As with last week's vulnerability, this one only affects SharePoint On-Premises deployments. SharePoint Online customers are not affected because Microsoft manages the underlying infrastructure and applies patches centrally.
Within the on-premises group, the highest-risk environments are those with SharePoint servers exposed directly to the public internet. If a SharePoint site is reachable from outside the corporate network, automated scanners are already finding it. Internal-only servers are less exposed in practice, because attackers would need to be inside the network first, but they are not safe.
Why does SharePoint keep coming up?
This is the question we asked Kyle directly, and his answer is one every business leader should sit with for a moment. SharePoint is not a particularly insecure platform. It sits behind multiple layers of defence and integrates tightly with Active Directory and Microsoft Entra ID.
What has changed is that SharePoint has become a far more valuable target. Since SharePoint 2016, the platform has matured significantly, and many of the largest organisations in the world now run mission-critical environments on it. Larger, more valuable deployments mean attackers have a stronger commercial incentive to invest time in finding ways in.
There is also a second factor: artificial intelligence. AI tools are helping attackers analyse code paths and chain together small, individually low-severity vulnerabilities into something far more dangerous.
"If you use this CVE and that CVE and that CVE in a certain order, then suddenly it's as if you were using a 9.5 CVE, because now you've used these small, very unlikely to break anything issues to give you full access to the system." — Kyle Farr, Security Analyst at GTconsult
In other words, you cannot only worry about the headline-grabbing CVEs. The medium-severity ones matter too, because attackers are increasingly stitching them together.
The 14 July 2026 deadline is now the priority conversation
SharePoint Server 2016 reaches end of extended support on 14 July 2026. After that date, Microsoft will no longer issue security patches for SharePoint 2016. Whatever vulnerabilities exist in the code, including ones not yet discovered, will remain there permanently.
Watch our full webinar on the SharePoint 2016 end-of-support deadline and your migration options.
If you are running SharePoint 2016 and you have not yet started a migration conversation, this is the signal to start. The migration path is not a single jump. Organisations on 2016 cannot move directly to SharePoint Subscription Edition. They need to upgrade to 2019 first, then to Subscription Edition, or rebuild the environment and migrate the data across using a migration tool.
Both options take time. Three months out from the deadline, that time is now the constraint.
What every business should do this ASAP
1. Verify your patch status. Confirm with your IT team or managed service provider that the latest SharePoint security updates have been applied. Do not assume. Ask for verification.
2. Audit your public-facing exposure. If your SharePoint server is reachable from the public internet, evaluate whether it needs to be. Where direct exposure is necessary, place it behind a reverse proxy or web application firewall that can analyse incoming traffic before it reaches the server.
3. Review your patching process. If applying a critical patch takes more than two weeks in your environment, that is a process problem to solve before the next vulnerability lands, not after.
4. Start the migration conversation if you are on 2016. Three months is a tight runway for a SharePoint migration. The conversation needs to start now, not in June.
5. If you don't have a security function, get one. Whether that is an internal hire, an outsourced partner, or a hybrid arrangement, organisations running on-premises Microsoft infrastructure cannot operate without dedicated security oversight in 2026.
How GTconsult can help
If you are not sure whether your SharePoint environment is patched, exposed, or ready for the July 2026 deadline, our team can help you find out. We offer SharePoint security assessments, vulnerability scans, penetration testing, patch verification, and full migration planning for SharePoint 2016 environments.
Reach out to us and we will walk through your environment with you.