Active Exploitation of Microsoft SharePoint Vulnerabilities
July 22, 2025, 9:29 a.m.
Description
Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to access restricted functionality and execute arbitrary commands. Active exploitation has been observed, with attackers bypassing identity controls, exfiltrating data, deploying backdoors, and stealing cryptographic keys. Affected organizations are urged to immediately disconnect vulnerable servers, apply patches, rotate cryptographic material, and engage professional incident response. The vulnerabilities impact SharePoint Enterprise Server 2016 and 2019, with some also affecting SharePoint Server Subscription Edition. Cloud-based SharePoint is not affected.
Tags
Date
- Created: July 22, 2025, 8:31 a.m.
- Published: July 22, 2025, 8:31 a.m.
- Modified: July 22, 2025, 9:29 a.m.
Indicators
- 33067028e35982c7b9fdcfe25eb4029463542451fdff454007832cf953feaf1e
- fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7
- b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70
- 7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95
- 66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082
- 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
- 390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- 92.222.167.88
- 91.236.230.76
- 91.132.95.60
- 86.48.9.38
- 45.86.231.241
- 51.161.152.26
- 212.125.27.102
- 185.197.248.131
- 149.28.124.70
- 145.239.97.206
- 139.144.199.41
- 95.179.158.42
- 154.223.19.106
- 96.9.125.147
- 104.238.159.149
- m4_cruise@proton.me
Attack Patterns
Additional Informations
- Healthcare
- Education
- Government