A zero-day bug in Microsoft SharePoint is being actively exploited by attackers.
The attack appears to be based on a pair of vulnerabilities found and responsibly disclosed at a recent hacking competition (Pwn2Own Berlin, which took place in May 2025).
Those bugs were supposedly fixed in Microsoft’s July 2025 Patch Tuesday update, which came out on 2025-07-08, claiming to close off the following vulnerabilities in SharePoint Server: CVE-2025-49701, CVE-2025-49703, CVE-2025-49704, and CVE-2025-49706.
But the Patch Tuesday fixes were incomplete, and new zero-day exploits recently appeared that are able to attack on-premises SharePoint servers, even after they’ve been patched.
As Microsoft writes:
Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.
These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.
These follow-on vulnerabilities have been given new bug identitifiers: CVE-2025-53770 and CVE-2025-53771.
Microsoft has published “patches-to-patch-the-patches” for these new CVEs, but at the time of writing [2025-07-21T17:30:00Z], the company’s advice is ambiguous.
At one point in Microsoft’s advisory, the company provides official links to updates for SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019, noting explicitly that an update for SharePoint Server 2016 is “not available yet.”
But despite linking to a SharePoint 2019 patch, a remark directly underneath states that Microsoft is still “working on security updates for supported versions of SharePoint 2019 and SharePoint 2016,” in an apparent contradiction implying that SharePoint 2019 isn’t fixed yet.
We therefore strongly suggest following the advice that immediately follows, namely, “Please check [the Microsoft blog article] for updates.”
Reports from Microsoft and other security researchers suggest that as-yet-unknown cyberattackers have been actively and successfully exploiting these holes to inject and execute unauthorized code on attacked servers.
One known attack vector involves leaving behind what’s known as a webshell: a server-side .ASPX file that, when later visited later by the attackers and processed by SharePoint, triggers the execution of unwanted C# code embedded inside the rogue file.
Webshells are therefore effectively latent malware that can be activated right on the server itself, simply by accessing the URL that references the webshell’s file.
This means that even an innocent-looking visit using a regular web browser is enough to let the criminals activate the hidden malware whenever they want.
(Windows webshells can be coded in a variety of different scripting languages, including PHP, VB Script, JavaScript, PowerShell, C#, and more.)
Rogue webshell code can, in theory, do almost anything, such as: probe and map your network from the inside; download and run additional programs; make unauthorized security changes to the system; steal files; modify official content to show fake news or serve up malware; and many other nasty tricks.
In this case, at least one known webshell payload deployed by the attackers goes after SharePoint authentication tokens, aiming to steal passwords that can be used to get back in later, rather than stealing files that already exist.
The problem with stolen access codes, of course, is that they leave your server open to the original attackers even after you have applied any available patches to stop them exploiting the original security holes.
In this case, you need to change the relevant SharePoint passwords and restart your SharePoint services to invalidate any existing access codes that might have been stolen.
If you run any SharePoint servers of your own (or pay someone to run them for you, even if those servers aren’t located on your own premises):
If you don’t have the time or expertise to go through all these steps yourself, why not contact SolCyber for help?
Let us be your 24/7 Security Operations Center, so you can focus on your core business instead of being distracted every time there’s a cybersecurity situation.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
