Critical SharePoint Vulnerabilities Under Active Exploitation

Krystal Martin CPA MSA photo By

Key Concerns

  • Multiple critical vulnerabilities in Microsoft SharePoint’s on-premise solutions are being actively exploited.
  • Attackers are using these flaws to gain unauthenticated access, execute remote code, and deploy ransomware.
  • Even previously patched systems may be vulnerable due to new bypass techniques.
  • CISA has issued an urgent alert and added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

What You Need to Know

On July 24, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued a high-priority alert regarding a series of vulnerabilities in Microsoft SharePoint’s on-premise solutions (NOTE: Microsoft 365 is not affected) that are currently being exploited in the wild. These vulnerabilities, CVE-2025-49704 and CVE-2025-49706, allow attackers to remotely execute code and access SharePoint content without authentication. Even more concerning, attackers have developed bypasses for Microsoft’s initial patches (CVE-2025-53770 and CVE-2025-53771), rendering many systems still vulnerable despite prior remediation efforts.

The attack chain, dubbed “ToolShell,” has been linked to the deployment of Warlock ransomware, among other malicious payloads. These exploits are being used to infiltrate networks, steal data, and disrupt operations. The threat actors are targeting both public-facing and internal SharePoint servers, with a focus on organizations that have not yet applied the latest security updates or lack advanced endpoint protection.

This is not a theoretical risk. CISA has observed active exploitation, including the use of specific IP addresses and file types that indicate a coordinated campaign. The vulnerabilities affect a wide range of SharePoint versions, and older, unsupported versions (like SharePoint 2013) are especially at risk.

What You Should Do Now

  • Apply Microsoft’s July 2025 security updates to all SharePoint servers.
  • Enable AMSI (Antimalware Scan Interface) and ensure Microsoft Defender Antivirus is active and up to date.
  • Disconnect any public-facing SharePoint servers that cannot support AMSI until mitigations are in place.
  • Rotate ASP.NET machine keys before and after patching, and restart IIS services.
  • Audit administrative privileges and reduce access to the minimum necessary.
  • Monitor for suspicious activity, including:
    • Requests to /SignOut.aspx and /ToolPane.aspx?DisplayMode=Edit
    • Traffic from known malicious IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147
  • Update web application firewall (WAF) and intrusion prevention rules, and ensure logging and alerting are configured for SharePoint-related anomalies.
    • Verify Firewall (Next Generation and Stateful) vendor has applied updates definitions and signatures or manually apply preventive rules and/or patches

Final Thoughts

This is a high-severity, actively exploited threat that demands executive attention. Organizations that rely on SharePoint—especially on-premise deployments—must act swiftly to patch, monitor, and harden their environments. Delays in response could result in operational disruption, data loss, or reputational damage.

We strongly recommend that all organizations promptly engage their technical support professionals to address these SharePoint vulnerabilities. Leveraging the expertise of your IT team will help ensure comprehensive mitigation, minimize risk, and safeguard your operations against ongoing threats.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.