Microsoft has alerted users about ongoing cyberattacks that are specifically targeting on-premises SharePoint servers, which are commonly used by both government agencies and businesses. These attacks exploit a critical zero-day vulnerability, risking tens of thousands of servers and prompting immediate protective measures.
Understanding the Cyber Threat to SharePoint Servers
In a security advisory issued on July 20, 2025, Microsoft announced that its investigations revealed these attacks are limited to on-premises SharePoint Servers. Notably, SharePoint Online, the cloud-based variant included in Microsoft 365, is not impacted by this vulnerability.
The Nature of the Vulnerability
The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, allow an authorized attacker to carry out spoofing attacks across networks. Spoofing involves an attacker impersonating a legitimate source to gain unauthorized access, which can result in significant system compromise and potential data breaches.
Zero-Day Exploitation: Immediate Threats
Described as a zero-day attack, this situation is particularly alarming as it involves exploiting a previously undisclosed software flaw before Microsoft has had a chance to release a patch. Reports, including one from The Washington Post, indicate that the vulnerability has been leveraged against various governmental and organizational targets both in the U.S. and abroad.
While Microsoft has not publicly identified the attackers or the scale of affected entities, the potential impact is extensive given SharePoint’s widespread use across sectors like government, healthcare, and education.
Critical Security Updates Released
In response to the ongoing threats, Microsoft has deployed security updates for SharePoint Server Subscription Edition and SharePoint Server 2019. Users are encouraged to apply these updates immediately to safeguard against known vulnerabilities. However, users of SharePoint Server 2016 are still awaiting updates, and Microsoft advises checking their official blog for the latest information.
Mitigation Strategies for SharePoint Users
To assist organizations in minimizing their exposure to these vulnerabilities, Microsoft has outlined several key steps:
- Utilize Supported SharePoint Versions
Confirm that your organization is using supported versions such as SharePoint Server 2016, 2019, or Subscription Edition. - Implement July 2025 Security Updates
Quick application of the latest security updates is vital. Specific updates include:- SharePoint Server 2019: KB5002741
- SharePoint Enterprise Server 2016: KB5002744
- Enable AMSI (Antimalware Scan Interface)
Integrate AMSI with Defender Antivirus to detect and block malicious activities. This integration was enabled by default in the September 2023 security update for both SharePoint Server 2016 and 2019. In instances where AMSI cannot be enabled, Microsoft advises disconnecting affected servers from the internet until fixes are applied. - Employ Microsoft Defender for Endpoint
Organizations should integrate Defender for Endpoint or comparable endpoint protection to detect and handle post-exploitation activities. - Rotate ASP.NET Machine Keys and Restart IIS
After updates or AMSI enabling, it’s critical to rotate the ASP.NET machine keys and restart IIS across all SharePoint servers. This can be accomplished using PowerShell (Update-SPMachineKey cmdlet) or through Central Administration, followed by a restart command using iisreset.exe.
Additionally, Microsoft recommends monitoring detection logs and telemetry using Microsoft Defender Vulnerability Management to identify any signs of exploitation attempts.
Coordinated Response from Federal Authorities
The FBI is actively investigating the attacks, collaborating with various public and private sector stakeholders. While they haven’t shared exhaustive details, they confirmed ongoing efforts to address the situation. Concurrently, the Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-53770 in its Known Exploited Vulnerabilities Catalog, highlighting the serious implications for federal operations and urging organizations to promptly follow Microsoft’s recommended steps.
Reassurance for SharePoint Online Users
Microsoft has confirmed that SharePoint Online users are not vulnerable to these attacks, allowing organizations using the cloud-based version as part of Microsoft 365 to maintain their operations safely. Nevertheless, they are advised to remain vigilant about emerging threats.
Summary of Security Updates
| Product | KB Article | Fixed Build Number |
|---|---|---|
| SharePoint Server 2019 | KB5002741 | 16.0.10417.20027 |
| SharePoint Enterprise Server 2016 | KB5002744 | 16.0.5508.1000 |
| SharePoint Subscription Edition | KB5002768 | Security Update Released |
| SharePoint Server 2016 (Full Fix) | Pending | In progress |
Recommended Actions for Organizations
As Microsoft continues to evaluate the ongoing cyber threats, organizations utilizing on-premises SharePoint servers should take immediate action by:
- Applying all suggested updates
- Enabling protective tools and AMSI
- Rotating machine keys
- Monitoring systems for potential compromises
Given the active exploitation of these vulnerabilities, prompt action is crucial to protect sensitive information and ensure system integrity.
