Microsoft Warns of Active Exploitation of On-Premises SharePoint Vulnerabilities
On July 19, 2025, the Microsoft Security Response Center (MSRC) issued a critical security advisory about ongoing attacks targeting on-premises SharePoint servers. These attacks exploit two newly disclosed vulnerabilities: CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution flaw. Importantly, these vulnerabilities do not impact SharePoint Online in Microsoft 365 — only on-premises installations are at risk.
Microsoft has released comprehensive security updates for all supported versions of SharePoint Server, including Subscription Edition, 2019, and 2016. These updates not only address CVE-2025-49706 and CVE-2025-49704, but also newly identified linked vulnerabilities — CVE-2025-53770 and CVE-2025-53771 — which are connected to previously disclosed issues. Microsoft urges all customers to install these patches immediately to mitigate risk.
The advisory notes that Microsoft has observed active exploitation of these vulnerabilities by Chinese nation-state actors. Specifically, threat groups Linen Typhoon and Violet Typhoon, as well as a third actor known as Storm-2603, have been targeting internet-exposed SharePoint servers. Microsoft warns that other groups may soon adopt the same techniques, given the widespread and rapid exploitation already underway.
To strengthen defenses, Microsoft strongly recommends that customers maintain up-to-date, supported versions of SharePoint with the latest security patches. Additional mitigation steps include enabling the Antimalware Scan Interface (AMSI) with Full Mode, using Microsoft Defender Antivirus or equivalent solutions, rotating ASP.NET machine keys, restarting Internet Information Services (IIS), and deploying Microsoft Defender for Endpoint.
The company emphasizes that the vulnerabilities are being used in active campaigns and that threat actors are employing sophisticated follow-on tactics, techniques, and procedures (TTPs) after gaining access. Investigations are ongoing, and Microsoft pledges to continue updating its blog with new information as it emerges.
Organizations using on-premises SharePoint are urged to act quickly to protect their environments. Applying the latest patches and following Microsoft’s mitigation guidance can help reduce exposure to these serious threats.
