Microsoft issues emergency patches for SharePoint zero-day vulnerabilities

Bad news for Sharepoint 2016 users as they aren’t included

Newly discovered vulnerabilities in on-premise versions of Microsoft SharePoint Server are being attacked globally. Microsoft has issued emergency updates, but SharePoint Server 2016 users are still vulnerable.

Microsoft has warned users of three on-premise versions of SharePoint Server of two zero-day vulnerabilities, and has issued emergency patches for two of them.

The zero-day vulnerabilities are tracked as CVE-2025-53770 and CVE-2025-53771 and have already compromised services worldwide in "ToolShell" attacks.

In a July 19 security note, Microsoft stated that it is “… aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

Vulnerabilities CVE-2025-49706 and CVE-2025-49704 were demonstrated in May and enabled cybersecurity researchers to achieve remote code execution in Microsoft SharePoint.

These flaws were fixed in the most recent Patch Tuesday update, but Microsoft admitted over the weekend that threat actors were able to bypass the fixes with new exploits - CVE-2025-53770 and CVE-2025-53771. These have been actively exploited since at least July 18th. At least 85 servers already been compromised.

CISA issued a warning yesterday.

Microsoft has emphasised that the vulnerabilities apply only to SharePoint servers used within organisations. SharePoint Online in Microsoft 365 is not affected.

Microsoft has now issued out-of-band security updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 that fix both the CVE-2025-53770 and CVE-2025-53771 flaws.

No patch is yet available for SharePoint Enterprise Server 2016. What should SharePoint 2016 customers do in the meantime?

Martin Riley, CTO at Bridewell advises:

"Leaders must prioritise mitigations immediately, even if this impacts productivity. The cost of inaction is far greater than the inconvenience of temporary restrictions. The mass exploitation of SharePoint servers via CVE-2025-53770 presents an unprecedented risk due to its ability to completely bypass authentication and identity controls like MFA.

“Disabling or limiting external access to SharePoint is the most effective option. For those unable to do so, deploying advanced anti-malware, enabling Microsoft Defender AV with AMSI, and increasing monitoring for lateral movement are critical. This vulnerability is not just about data theft — it can enable attackers to harvest credentials, steal cryptographic keys, and impersonate users even after the patch is applied unless keys are rotated.”

Others argue that longer term, this vulnerability illustrates the importance of a zero-trust security model.

Rik Ferguson, VP of security intelligence at Forescout commented:

"CVE-2025-53770 is more than just another SharePoint flaw. It is a case study in what happens when legacy trust models meet modern threat actors. An authenticated user should never be treated as a guaranteed safe entity, but this vulnerability effectively grants code execution without requiring elevated privileges. For CISOs, this highlights a critical point. If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess.”