Microsoft Warns of Active Attacks on On-Prem SharePoint Servers
▼ Summary
– Microsoft warns of active exploitation of SharePoint vulnerabilities, targeting critical sectors like government and healthcare, with high risk to on-premises servers.
– Attackers are installing web shells and stealing cryptographic secrets, bypassing identity controls like MFA and SSO to gain privileged access.
– Two vulnerabilities (CVE-2025-53770 and CVE-2025-53771) are being exploited, with one rated critical (CVSS 9.8) allowing remote code execution.
– Microsoft advises immediate action, including patching, rotating cryptographic material, and disconnecting SharePoint from the internet if necessary.
– Partial fixes are available for SharePoint Subscription Edition and SharePoint 2019, but no patches yet exist for SharePoint 2016, with an emergency update expected.
Microsoft has issued a clear warning: active cyberattacks are hitting on-premises SharePoint servers, putting sensitive data in government, healthcare, and large corporate networks directly in harm’s way. Threat groups are taking advantage of unpatched vulnerabilities, dropping malicious web shells, and stealing cryptographic keys that help them slip past normal defenses.
Investigators have seen attackers bypass multi-factor authentication (MFA) and single sign-on (SSO) safeguards, grabbing privileged access to entire SharePoint environments. Once inside, they don’t stop, these intrusions lead to persistent access, data exfiltration, and wider compromise of connected Microsoft services like Teams, Outlook, and OneDrive.
At the heart of this spike: two major security flaws. One in particular, CVE-2025-53770 (CVSS 9.8), opens the door for remote code execution, letting unauthorized users run malicious commands over a network. Microsoft has pushed out patches for SharePoint Subscription Edition and SharePoint 2019, but SharePoint 2016 remains without a fix, leaving countless setups wide open.
Security experts are urging IT teams to assume breach if servers are internet-facing. The attackers’ methods are unusually advanced, using stolen cryptographic keys to forge authentication tokens that can keep them in the system even after updates are rolled out. Researchers point to compromised MachineKeys, which protect SharePoint’s VIEWSTATE, as the weak link that lets attackers skip security checks and execute code out of sight.
Dutch firm Eye Security says two separate waves have hit so far, with dozens of systems compromised in just 24 hours. Meanwhile, Palo Alto Networks’ Unit 42 warns that one SharePoint breach can easily become a full network takeover, setting off a domino effect across a company’s infrastructure.
While Microsoft races to patch SharePoint 2016, security teams are being told to dig into incident response now to catch intrusions that might already be lurking unnoticed. Companies running only SharePoint Online in the cloud can breathe easier, these attacks target on-premises deployments, once again underlining their unique exposure.
(Source: Info Security)
