Microsoft SharePoint Zero-Day Vulnerabilities Exploited in Global Cyberattacks

On July 19, 2025, the Microsoft Security Response Center (MSRC) revealed active exploitation of two vulnerabilities in on-premises SharePoint servers: CVE-2025-49706 (a spoofing vulnerability) and CVE-2025-49704 (a remote code execution vulnerability). These vulnerabilities affect only on-premises SharePoint servers and not SharePoint Online in Microsoft 365. Microsoft has released comprehensive security updates for SharePoint Server Subscription Edition, 2019, and 2016, urging customers to apply them immediately for protection.

Microsoft observed two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers. Additionally, another China-based threat actor named Storm2603 has been exploiting these same vulnerabilities to deploy ransomware. Investigations into other threat actors using these exploits are ongoing.

Microsoft warns that these exploits are rapidly being integrated by threat actors into attacks against unpatched on-premises SharePoint systems. Threat actors conduct reconnaissance and attempt exploitation via POST requests to the ToolPane endpoint. Successful exploitation results in authentication bypass, remote code execution, and deployment of web shells.

Microsoft recommends customers use supported SharePoint versions with the latest security patches, enable the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus or equivalent, configure AMSI to Full Mode, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.

The blog post from MSRC will be updated as investigations continue, but current findings confirm that Chinese hackers are exploiting these vulnerabilities with ransomware attacks on July 19, 2025.

On Sunday, October 27, 2024, Microsoft disclosed an active cyberattack exploiting vulnerabilities in its on-premises SharePoint collaboration software. The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that the flaw allows unauthenticated attackers to gain full access to SharePoint content and execute code remotely, posing serious risks to affected organizations worldwide, including U.S. state agencies and researchers.

Microsoft released security fixes late Sunday for two versions of SharePoint and issued an additional patch on Monday evening for SharePoint Server 2016, used primarily in on-premises data centers. The attack does not affect cloud-based SharePoint services like Microsoft 365.

Researchers at Palo Alto Networks estimate that thousands of organizations globally may have been impacted. Michael Sikorski, CTO and head of threat intelligence at Palo Alto’s Unit 42, stated that attackers are "exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys," and have already established footholds in systems. Eye Security researchers noted that because SharePoint servers often connect to other Microsoft services such as Outlook and Teams, the breach could facilitate data theft and password harvesting.

Microsoft has declined to comment further beyond its official blog update. The full scope and impact of the attack remain under investigation, with CISA advising organizations to apply patches immediately to mitigate exploitation risks.

Microsoft faced a significant cyberattack exploiting a vulnerability in its SharePoint product, affecting U.S. federal agencies, state entities, and researchers worldwide. The attack targeted a specific version of SharePoint, which Microsoft confirmed remains vulnerable until patched. In response, Microsoft released an urgent security update to fix the SharePoint vulnerability actively used in these ongoing global cyberattacks. The incident underscored risks to government and research organizations relying on SharePoint, prompting immediate mitigation actions through the security patch to protect affected systems.

Microsoft has issued an alert regarding active cyberattacks exploiting previously unknown zero-day vulnerabilities in SharePoint Server software, used predominantly by U.S. and international government agencies and businesses for internal document sharing. These exploits target on-premises SharePoint servers, not SharePoint Online in Microsoft 365. The vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, act as patch bypasses for earlier SharePoint flaws CVE-2025-49704 and CVE-2025-49706. Collectively termed the ToolShell exploit chain, these vulnerabilities allow remote code execution, enabling attackers to breach dozens of organizations worldwide. Microsoft released patches addressing these vulnerabilities during the latest Patch Tuesday update and urged immediate installation of these fixes to prevent exploitation. The company is coordinating its response with U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Defense Command, and other cybersecurity partners globally. The FBI confirmed awareness of these ongoing attacks and is working closely with federal and private-sector partners, without providing further details. Microsoft warned that the vulnerability allows authorized attackers to perform spoofing over networks, which can mask attacker identities and potentially manipulate trusted communications within agencies. Interim guidance advised customers who cannot enable recommended malware protections to disconnect vulnerable SharePoint servers from the internet until updates are applied. This attack underscores the critical nature of patch management and vigilance since attackers exploit even minor vulnerabilities rapidly after disclosure.

Microsoft has released security patches addressing two critical vulnerabilities in its SharePoint Server software that have been actively exploited worldwide to breach dozens of organizations. The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are patch bypasses for earlier SharePoint flaws CVE-2025-49704 and CVE-2025-49706, collectively known as "ToolShell." This exploit chain enables remote code execution on on-premises SharePoint servers.

Exploitation details surfaced over the weekend, prompting an official advisory from Microsoft. These updates were included in Microsoft's Patch Tuesday release earlier in the month. The company has alerted businesses and government agencies about ongoing attacks targeting these flaws.

These incidents highlight how attackers often leverage default settings, outdated encryption, and trusted but unprotected tools to penetrate well-secured environments without relying on novel zero-day exploits. The attackers use modular and automated techniques that mimic normal system behavior to remain undetected.

Microsoft also underscores the growing security risks associated with Large Language Models (LLMs) integration across various applications and has issued a "LLM Security Best Practices Cheat Sheet" to guide identification and mitigation of AI-related vulnerabilities.

Security experts emphasize the importance of promptly patching all critical and high-risk vulnerabilities. Attackers are known to exploit newly discovered software flaws rapidly, sometimes within hours of disclosure. The release of these patches and advisories aims to help organizations preempt potential damage from these active exploit attempts.

On July 20, 2025, Microsoft released urgent security patches for critical vulnerabilities in on-premises SharePoint Server that are actively being exploited in widespread cyberattacks. The main flaw, tracked as CVE-2025-53770 with a CVSS score of 9.8, allows remote code execution due to deserialization of untrusted data. Concurrently, Microsoft disclosed a related spoofing vulnerability CVE-2025-53771 (CVSS score 6.3) caused by improper pathname limitations enabling an authorized attacker to spoof over a network. These vulnerabilities impact only on-premises versions of SharePoint Server and not SharePoint Online in Microsoft 365.

Microsoft acknowledged that these exploits, partially addressed in their July 2025 Patch Tuesday update, are connected to earlier vulnerabilities CVE-2025-49704 and CVE-2025-49706. The exploit chain called ToolShell leverages these flaws to achieve remote code execution. The July patches provide more robust protections compared to previous fixes for these vulnerabilities.

Microsoft credited an anonymous researcher for reporting the spoofing flaw (CVE-2025-53771). They emphasized the importance of immediately applying the latest updates or enabling AMSI (Antimalware Scan Interface), rotating SharePoint server ASP.NET machine keys, and restarting IIS on all SharePoint servers to mitigate further attacks.

A Microsoft spokesperson stated the company is prioritizing rapid updates and correcting any prior content discrepancies without impacting guidance for customers. The incident underscores the ongoing cyberthreat to U.S. and state agencies using Microsoft products amid global hacking attempts.

A critical security vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770 with a CVSS score of 9.8, has been actively exploited since at least July 18, 2025, according to a Dutch security firm, Eye Security. The zero-day flaw is a variant of another SharePoint vulnerability (CVE-2025-49706, CVSS score 6.3) that was addressed in Microsoft's Patch Tuesday updates in July 2025. However, CVE-2025-53770 remains unpatched and allows unauthorized attackers to execute code remotely without authentication by exploiting how SharePoint deserializes untrusted objects over a network.

Microsoft publicly confirmed awareness of ongoing attacks targeting on-premises SharePoint Server customers on July 19, 2025. The attacks involve placing a backdoor on vulnerable SharePoint servers and stealing the servers' machine security keys (ValidationKey and DecryptionKey). These keys enable attackers to forge trusted payloads such as __VIEWSTATE and gain complete control over affected servers, enabling lateral movement and evasion by blending in with legitimate SharePoint activity.

Microsoft clarified that SharePoint Online (Microsoft 365) is not affected by this vulnerability. As a mitigation measure pending an official patch, Microsoft advised customers to configure Antimalware Scan Interface (AMSI) integration in on-premises SharePoint Server and deploy Microsoft Defender Antivirus on all SharePoint servers. AMSI integration has been enabled by default starting from the September 2023 security update for SharePoint Server 2016-2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

For organizations unable to enable AMSI integration, Microsoft recommended disconnecting SharePoint servers from the internet until the patch becomes available. They also recommended deploying Defender for Endpoint to detect and block post-exploitation activities.

Organizations that were attacked or suspect compromise should check server logs for indicators of compromise, isolate or shut down affected servers, and rotate all exposed credentials and system secrets, as patching alone does not revoke the stolen keys that allow ongoing access.

The vulnerability was discovered and reported to Microsoft by Viettel Cyber Security through the Trend Micro Zero Day Initiative (ZDI). Microsoft's advisory highlighted that the vulnerability stems from deserialization of untrusted data in on-premises SharePoint Server, enabling remote code execution over a network.

A critical zero-day vulnerability (CVE-2025-53770) in Microsoft SharePoint Server is being actively exploited in large-scale attacks targeting over 75 company servers worldwide as of July 19, 2025. This flaw, a variant of an earlier spoofing bug CVE-2025-49706 which was patched in the July 2025 Patch Tuesday updates, allows unauthorized attackers to execute code remotely by exploiting how SharePoint deserializes untrusted data. Attackers can execute commands before authentication, forge trusted payloads using stolen machine keys for persistence or lateral movement, and blend their activity with legitimate SharePoint operations, complicating detection and response.

Microsoft acknowledges the attacks and emphasizes that SharePoint Online in Microsoft 365 is not affected. The vulnerability impacts on-premises installations of SharePoint Server 2016, 2019, and Subscription Edition. Microsoft credits Viettel Cyber Security, via Trend Micro's Zero Day Initiative, for discovering and reporting the flaw.

Microsoft is preparing a comprehensive security update to fully resolve the issue. Until a patch is released, customers are urged to enable Antimalware Scan Interface (AMSI) integration—which is enabled by default in the September 2023 security update for SharePoint Server 2016 and 2019 and in the Version 23H2 feature update for Subscription Edition—and to deploy Microsoft Defender Antivirus and Defender for Endpoint on all SharePoint servers to detect and block post-exploit activity. For environments where AMSI cannot be enabled, Microsoft advises disconnecting SharePoint Servers from the internet.

Microsoft states: "Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network." Researchers from Eye Security have identified that widespread attacks leverage CVE-2025-49706 combined with use of a specific HTTP referer string to escalate to CVE-2025-53770, enabling remote code execution payload delivery.

This vulnerability represents a significant threat to organizations using on-premises Microsoft SharePoint Server infrastructure, with at least 75 companies reportedly breached during this ongoing exploitation campaign.

In July 2025, two separate zero-day vulnerabilities were actively exploited in widely used enterprise file transfer and collaboration server software.

First, CrushFTP, a proprietary multiprotocol file transfer server supporting FTP, FTPS, SFTP, HTTP(S), WebDAV, and more, was found to have a zero-day vulnerability tracked as CVE-2025-54309. This vulnerability allows attackers to gain administrative access via the web interface on vulnerable CrushFTP servers. Attackers exploit HTTP(S) connections to hijack servers that are not running updated CrushFTP versions. The vulnerability is related to the server's ability to auto-load XML configuration changes without requiring a restart, triggered by timestamp changes. The exploit was discovered in early July 2025, with notable successful attacks on systems including German users. CrushFTP has been updating its official documentation with new information as the situation develops.

Second, a zero-day variant vulnerability affecting Microsoft SharePoint Server — tracked as CVE-2025-53770 — was weaponized in a largescale campaign beginning at least July 18, 2025. This variant extends a previously patched spoofing vulnerability (CVE-2025-49706). Attackers exploit a deserialization flaw allowing them to execute remote code without authentication, steal critical MachineKey configuration (ValidationKey and DecryptionKey), and install persistent backdoors. This breach enables full server takeover and lateral movement within networks. Microsoft and security researchers recommend enabling Antimalware Scan Interface (AMSI) integration (enabled by default in September 2023 updates for SharePoint Server 2016/2019 and the Version 23H2 update for Subscription Edition), deploying Defender for Endpoint, or disconnecting SharePoint servers from the internet until patches are released. SharePoint Online (Microsoft 365) is not affected.

Both vulnerabilities involve critical enterprise infrastructure and are actively exploited by threat actors, resulting in administrative hijacking and remote code execution on on-premises systems. Immediate mitigation measures focus on patch management, configuration changes, and deployment of advanced endpoint detection and response tools.