Active Exploitation of Microsoft SharePoint Vulnerabilities
Essential information
- Published
- 22/07/2025 08:31
- Modified
- 22/07/2025 09:29
- Tags
- 2025-07-22 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 cve education exploitation government healthcare microsoft sharepoint on-premises vulnerability
- Related entities
- 13 vulnerabilities (cve), 24 observables, 13 techniques (mitre), 3 others
Description
Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to access restricted functionality and execute arbitrary commands. Active exploitation has been observed, with attackers bypassing identity controls, exfiltrating data, deploying backdoors, and stealing cryptographic keys. Affected organizations are urged to immediately disconnect vulnerable servers, apply patches, rotate cryptographic material, and engage professional incident response. The vulnerabilities impact SharePoint Enterprise Server 2016 and 2019, with some also affecting SharePoint Server Subscription Edition. Cloud-based SharePoint is not affected.