Microsoft’s Sharepoint Software For Servers is Being Targeted by MALICIOUS ACTORS Using a Remote Code Execution (Rce) Vulnerability to Gain Vulnerability to Gain Unauthorized Access, According to the Company. The Security Flaw Allows Threat Actor to Target on-Premise Servers at Thousands of Firms with Sharepoint servers. Researchers state that once attackers have breached these servers, they can Gain Persistent Access, even if the server is Patched. Microsoft says it has rolled out a security patches that can mitigate active attracts, and more are on the way.
Threat actors Gain Persistent Access to Microsoft SharePoint Servers
The vulnerability affecting sharepoint on-lovers servers was reported on July 18 by researchers at european cybersecurity firm eye security. They explained that threat actors are using a zero-day, or earlier unknown vulnerability, (which has since been been identified as cve-2025-537770 and cve-2025-537770) Servers, without using brute force attacks or phishing.
Microsoft is aware of Active Attacks Targeting on-Premies Sharepoint Server Customers, Expliting a Variant of Cve-2025-49706. This vulnerability has been assigned cve-2025-53770.
We have outlined mitigations and detections in our blog. Our team is working urgently to release…
– Security Response (@MSFTSECRESPONSE) July 20, 2025
The new zero-day vulnerability is a weaponized version of an exploit that was shown and showcased at PWN2OWN Berlin (A Security Contest) Earlier this year. The us cisa warns that threat actors can execute code on the network, and gain access to all sharepoint content on a server, such as internal configurations or file Systems.
According to the reserchers, these attackers un use stolen keys to act on behahalf of legitimate users. As a result, these attackers can modify components and install other code that lets them retain access to the servers after Security Petches are installed, or the systems are rebooted.
Palo alto networks’ Unit 42 Wrote on X (Formerly Twitter) That Threat Intelligence Team was observing “Active Global Exposure” of Sharepoint Vulnerability Around the world. Additional Details of these attacks were shared via unit 42’s github threat intelly intel -intel repository.
A Day Later, The Microsoft Security Response Center (MSRC) Issued an Advisory that Confirms The Security Flaw is being done actively exploited by threats. The company says it has released a security patches to protect sharepoint subscription edition and Sharepoint 2019 servers against AGIINST ACTICKS Using Using This Exploit.
At the time of publishing this story, Microsoft has yet a security update update for sharepoint 2016 servers. The company’s advisory also urges customers to apply the July 2025 security updates, set up the antimalware scan interface (amsi) in sharepoint, and Deploy Microsoft Defender Solutions.
