Active Exploitation Of Microsoft Sharepoint Vulnerabilities: Threat Brief

2025-07-23 03:16:28

(MENAFN- Asdaf News) Dubai – Asdaf News:

Executive Summary
Palo Alto Networks' Unit 42 is tracking high-impact, ongoing threat activity targeting on-premises Microsoft SharePoint servers. While cloud environments remain unaffected, on-premises SharePoint deployments - particularly within government, schools, healthcare (including hospitals) and large enterprise companies - are at immediate risk.

CVE-2025-49704, CVE-2025-49706 , CVE-2025-53770 and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771 may be chained together, which can allow unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint.

In addition to the CVE reports, Microsoft has released further guidance on these vulnerabilities. The vulnerabilities, their CVSS scores and their descriptions are detailed in Table 1.

CVE Number	Description	CVSS Score
CVE-2025-49704	Improper control of generation of code (code injection) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.	8.8
CVE-2025-49706	Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.	6.5
CVE-2025-53770	Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.	9.8
CVE-2025-53771	Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.	6.5

Table 1. List of recent vulnerabilities affecting Microsoft SharePoint.

These vulnerabilities all apply to Microsoft SharePoint Enterprise Server 2016 and 2019. CVE-2025-49706 and CVE-2025-53770 also apply to Microsoft SharePoint Server Subscription Edition. Microsoft has stated that SharePoint Online in Microsoft 365 is not impacted.

We are currently working closely with the Microsoft Security Response Center (MSRC) to ensure that our customers have the latest information and we are actively notifying affected customers and other organizations. This situation is evolving rapidly, so it's advisable to check Microsoft's recommendations frequently.

We have observed active exploitation of these SharePoint vulnerabilities. Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they're exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys.

The attackers have leveraged these vulnerabilities to get into systems and in some cases are already establishing their foothold. If you have SharePoint on-premises exposed to the internet, you should assume that you have been compromised. Patching alone is insufficient to fully evict the threat.

We are urging organizations who are running vulnerable on-premises SharePoint to take the following actions immediately:

Apply all relevant patches now and as they become available
Rotate all cryptographic material
Engage professional incident response

For the full report, please visit here

Tags#Microsoft #Palo Alto #SharePoint servers

MENAFN23072025007116015312ID1109839048

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.