Microsoft confirms global SharePoint attack and issues emergency update
Threat actors are actively exploiting two zero-day vulnerabilities found in on-premise instances of Microsoft SharePoint to gain complete, unauthenticated remote access to content, file systems, internal configurations, and cryptographic keys, according to a late Sunday (7/20) alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA).
The attackers can leverage this access to execute code over the network and exfiltrate system data. PaloAlto’s Unit42 researchers were among the first to report the active exploit of the vulnerabilities found in SharePoint 2016 and SharePoint 2019 (CVE-2025-49704 and CVE-2025-49706).
“These flaws allow unauthenticated attackers to access restricted functionality,” researchers wrote. “When chained together, they enable arbitrary command execution on vulnerable SharePoint servers.”
Attackers have been observed dropping malicious ASPX payloads via PowerShell, stealing machine keys to maintain persistent access, and targeting organizations worldwide.
Microsoft recommends that SharePoint instances be updated as soon as possible, including patching the flaws immediately. Researchers warned: “These exploits are real, in-the-wild, and pose a serious threat.”
The CISA alert shows the active exploit enables unauthorized access to on-prem SharePoint servers. While these zero-days are new, the current exploit is a variant of an existing “ToolShell” vulnerability (CVE-2025-49706).
Eye Security scanned more than 8000 global SharePoint servers and “discovered dozens of systems actively compromised during two waves of attack, on July 18 and July 19.”
To reduce the risk tied to the RCE compromise, CISA recommends network defenders to:
- Configure the Antimalware Scan Interface (AMSI) and leverage Microsoft Defender AV on all SharePoint servers
- Any vulnerable, public-facing SharePoint instances must be disconnected from service if the AMSI can’t be enabled – until official mitigations become available
- Once official mitigations are released, network defenders should promptly apply them to the impacted instances according to instructions from Microsoft and CISA
- Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior
- Implement comprehensive logging to identify exploitation activity
- Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
- Audit and minimize layout and admin privileges
CISA previously issued the Binding Operational Directive for network defenders to reduce the risk of known exploited vulnerabilities found here. This guidance includes goals for vulnerability management. Further, Microsoft released customer support guidance for the SharePoint vulnerabilities to reduce the risk of exploit.