Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief

July 24, 2025, 9:34 a.m.

Description

Several critical vulnerabilities in Microsoft SharePoint are being actively exploited, targeting on-premises servers in government, education, healthcare, and large enterprises. The vulnerabilities allow unauthenticated attackers to bypass security controls and gain privileged access, leading to data exfiltration and backdoor deployment. Immediate actions recommended include patching, disconnecting vulnerable servers, rotating cryptographic material, and engaging professional incident response. Multiple variations of exploitation have been observed, involving command execution and web shell creation. Palo Alto Networks products offer various protections against these threats, including detection and blocking capabilities.

External References

https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/?pdf=print&lg=en&_wpnonce=4083d9d379
https://otx.alienvault.com/pulse/688170c8aa4532178fc3deb2
Tags
vulnerability
exploitation
web shell
sharepoint
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
on-premises
2025-07-23
unauthenticated access

Date

  • Created: July 23, 2025, 11:31 p.m.
  • Published: July 23, 2025, 11:31 p.m.
  • Modified: July 24, 2025, 9:34 a.m.

Attack Patterns

Additional Informations

  • Healthcare
  • Education
  • Government