Microsoft has issued a stark warning: “active attacks” are targeting on-premises SharePoint Server systems, with threat actors exploiting two dangerous zero-day vulnerabilities. While cloud-based Microsoft 365 users are in the clear, many governments, critical infrastructure providers, and enterprises still rely on these on-prem installations—making this a serious concern that’s got the FBI, CISA, and DoD Cyber Defense Command involved.
If you’re a tech leader or sysadmin at an organization using on-prem SharePoint, this isn’t just a patch-and-move-on situation. One cybersecurity expert put it bluntly: “Assume you’ve been compromised.”
Let’s break it down and explore what this means, how it happened, and what to do next.
What Happened: Zero-Day Flaws in SharePoint Server Under Attack
Microsoft confirmed over the weekend that two zero-day vulnerabilities, now identified as CVE-2025-53770 and CVE-2025-53771, are being actively exploited in the wild.
Here’s what we know:
-
CVE-2025-53770 allows remote attackers to execute code over a network.
-
CVE-2025-53771 enables spoofing attacks, bypassing authentication protocols.
-
The exploitation technique is known as “ToolShell”, giving attackers unauthenticated access to SharePoint content, file systems, configurations, and even allowing remote code execution.
According to Palo Alto Networks’ Unit 42:
“Attackers are bypassing MFA and SSO, exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys.”
This isn’t theoretical. It’s happening right now.
Who’s at Risk: On-Prem SharePoint Customers—Public and Private Sector
If you’re using SharePoint Online via Microsoft 365, you can breathe easy. Microsoft says those cloud environments are not impacted.
But if you run on-premises SharePoint 2016, 2019, or Subscription Edition—often used by large organizations and government agencies—you’re directly in the crosshairs.
And here’s the kicker: these environments are deeply integrated with Microsoft ecosystems like Office, Teams, OneDrive, and Outlook. A breach in SharePoint could quickly cascade into a full-blown network-wide compromise.
What Microsoft and Agencies Are Doing
Microsoft acted quickly, working with:
Patches are already available:
-
SharePoint Subscription Edition users should apply the CVE-2025-53771 security update immediately.
-
SharePoint 2016 or 2019 users must upgrade to a supported edition first, then apply the fix.
But here’s the hard truth: experts warn patching alone won’t remove the threat if attackers are already inside your systems.
Why This Matters: A Bigger Shift in Cybersecurity Reality
This SharePoint attack highlights a broader and more uncomfortable truth: legacy infrastructure in hybrid environments is increasingly vulnerable. And as attackers get better at chaining exploits, even a single unpatched server can give them the keys to the kingdom.
Consider recent trends:
The message is loud and clear: cyber resilience isn’t about patching—it’s about visibility, detection, and response.
What You Should Do Now
If you operate an on-prem SharePoint server:
-
Apply the latest security update immediately.
-
Audit your systems for unusual activity, especially authentication logs and network traffic.
-
Assume compromise—look for signs of persistent access or credential theft.
-
Consider migrating critical services to cloud environments with stronger default security posture.
And most importantly:
Final Takeaway: Trust But Verify—Your Network May Already Be Infected
This isn’t just a SharePoint issue—it’s a warning shot for any organization using on-prem infrastructure. Fast patching is crucial, but active monitoring, threat hunting, and layered security are your best bets against modern threats.
What’s your organization doing to protect legacy systems from zero-day exploits? Share your thoughts or strategies in the comments.
