On-Premise MS SharePoint Servers are the Latest Target

The Microsoft Security Response Center (MSRC) recently published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. This was updated with information regarding CVE-2025-53770, a ToolShell vulnerability, and CVE-2025-53771 which is a ToolShell path traversal vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected. It is important to note that these vulnerabilities do not affect Microsoft 365 or SharePoint Online version of SharePoint server.

Speed of Attacks

Microsoft disclosed the vulnerability CVE-2025-49706 and CVE-2025-49704 on July 8, 2025 and at the time they were published no exploitation had been seen. Microsoft also released security patches for these CVE’s on July’s Patch Tuesday, which was also July 8. Microsoft released CVE-2025-53770 and CVE-2025-53771 on July 19, 2025 and it was immediately noted that it was a variant of CVE-2025-49706. Microsoft released an emergency out of band security update for CVE-2025-53770 and CVE-2025-53771 the same day and it provided a more robust handling of previous similar vulnerabilities.

Intensity of Attacks

Since July 19, attackers have breached over 400 government SharePoint servers and countless corporate SharePoint Servers according to information published in media outlets. It is likely that every unpatched or out of date SharePoint server will be breached if System Administrators fail to patch their systems immediately or have inadequate protections in place to protect themselves from attack.

Prevention

Microsoft has released guidance on prevention and detection. It is highly advisable to have Security Operations Center Monitoring and advanced endpoint protection solutions (XDR) in place to provide protection from these types of zero day or near zero day attacks. Many SOC services were able to see and prevent these attacks from happening with active monitoring and response services.

This attack underscores the need to constantly address vulnerabilities. The utilization of vulnerability scanning services and addressing all found vulnerabilities is essential. Updating software and operating systems to the latest releases is extremely helpful and installing all security patches and fixes as they are released is becoming essential to system security.

Who is Responsible for these Attacks

Two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon are actively exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, it has been observed that another China-based threat actor, Storm-2603 is also exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.