Microsoft’s SharePoint software for servers is being targeted by malicious actors using a remote code execution (RCE) vulnerability to gain unauthorised access, according to the company. The security flaw allows threat actors to target on-premise servers at thousands of firms with SharePoint servers. Researchers state that once attackers have breached these servers, they can gain persistent access, even if the server is patched. Microsoft says it has rolled out a security patch that can mitigate active attacks, and more are on the way.
Threat Actors Gain Persistent Access to Microsoft SharePoint Servers
The vulnerability affecting SharePoint on-premise servers was reported on July 18 by researchers at European cybersecurity firm Eye Security. They explained that threat actors are using a zero-day, or previously unknown vulnerability, (which has since been identified as CVE-2025-53770 and CVE-2025-53770) to gain access to servers, without using brute force attacks or phishing.
Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.
We have outlined mitigations and detections in our blog. Our team is working urgently to release…
— Security Response (@msftsecresponse) July 20, 2025
The new zero-day vulnerability is a weaponised version of an exploit that was showcased at Pwn2Own Berlin (a security contest) earlier this year. The US CISA warns that threat actors can execute code on the network, and gain access to all SharePoint content on a server, such as internal configurations or file systems.
According to the researchers, these attackers could use stolen keys to act on behalf of legitimate users. As a result, these attackers can modify components and install other code that lets them retain access to the servers after security patches are installed, or the systems are rebooted.
Palo Alto Networks’ Unit 42 wrote on X (formerly Twitter) that the threat intelligence team was observing «active global exploitation» of SharePoint vulnerabilities that were being used to target organisations around the world. Additional details of these attacks were shared via Unit 42’s GitHub threat intel repository.
A day later, the Microsoft Security Response Center (MSRC) issued an advisory that confirms the security flaw is being actively exploited by threat actors. The company says it has released a security patch to protect SharePoint Subscription Edition and SharePoint 2019 servers against active attacks using this exploit.
At the time of publishing this story, Microsoft has yet to roll out a security update for SharePoint 2016 servers. The company’s advisory also urges customers to apply the July 2025 security updates, set up the Antimalware Scan Interface (AMSI) in SharePoint, and deploy Microsoft Defender or similar solutions.
