Urgent to admins of on-prem SharePoint: Address this zero-day vulnerability now
Hole called 'high-severity, high impact' to servers open to the internet
Admins of Microsoft products are urged to immediately patch and address what what security company calls a high-severity, high-urgency vulnerability in on-premise versions of SharePoint. In fact Palo Alto Networks says if your implementation is open to the internet you should assume your IT network has been compromised.
According to Satnam Narang, senior staff research engineer at Tenable, a threat actor has been able to steal machine key configuration details from vulnerable SharePoint Servers that includes both a validationKey and a decryptionKey. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution.
The attack surface for this vulnerability is large at over 9,000 externally accessible SharePoint servers, he added. Patches started to roll out late Sunday, including fixes for SharePoint Server 2019 and SharePoint Subscription Edition. A patch for SharePoint Server 2016 is not yet available but is expected to be released soon.
“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” warns Palo Alto Networks.” Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat.
“What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker. A compromise doesn’t stay contained—it opens the door to the entire network.
“This is a high-severity, high-urgency threat. We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available. A false sense of security could result in prolonged exposure and widespread compromise.”
This comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Sunday it is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers.
“While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
CISA recommends admins
configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender AV on all SharePoint servers.
If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
monitor for POSTs to
/_layouts/15/ToolPane.aspx?DisplayMode=Editconduct scanning for IPs
107.191.58[.]76,104.238.159[.]149, and96.9.125[.]147, particularly between July 18-19, 2025.update intrusion prevention system and web application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
Audit and minimize layout and admin privileges.
Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments, notes Andrew Obadiaru, CISO of Cobalt. “The challenge isn’t just patching—it’s that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defense strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today’s threat landscape, reactive security alone is a losing game.”