Microsoft has issued a warning about active cyberattacks targeting on-premises SharePoint servers widely used by government agencies and businesses. The cyberattacks exploit a zero-day vulnerability that has placed tens of thousands of servers at risk, prompting quick action to protect affected systems.
The FBI confirmed it is aware of the situation and is coordinating efforts with federal and private-sector partners to mitigate the impact of the ongoing exploitation.
On-Premises SharePoint Servers Under Attack
In a security advisory released on July 20, 2025, Microsoft confirmed that the ongoing cyberattacks are limited to on-premises SharePoint Servers. The company clarified that SharePoint Online, the cloud-based version integrated with Microsoft 365, remains unaffected.
The vulnerability, tracked as CVE-2025-53770 and CVE-2025-53771, enables an authorized attacker to perform spoofing attacks over a network. Spoofing involves impersonating a trusted source to gain unauthorized access, often leading to further system compromise or data theft.
Zero-Day Vulnerability Actively Exploited
This situation is described as a zero-day attack, meaning attackers are exploiting a previously unknown software flaw before a patch was made available. According to The Washington Post, the vulnerability has already been used to target various U.S. and global agencies and organizations.
Though Microsoft did not disclose the identity of the threat actors or the scale of affected organizations, the flaw is considered severe due to the wide use of SharePoint servers in government, healthcare, education, and corporate sectors.
Microsoft Releases Critical Security Updates
Microsoft has rolled out security updates for SharePoint Server Subscription Edition and SharePoint Server 2019. These updates provide full protection against the exploited vulnerabilities. However, updates for SharePoint Server 2016 are still pending. Customers are urged to check Microsoft’s official blog for the latest developments.
The company emphasized the importance of keeping systems updated and has published detailed guidance to help organizations apply the fixes effectively.
Key Steps to Protect SharePoint Environments
Microsoft outlined several mitigation steps to reduce exposure:
- Use Supported SharePoint Versions
Ensure the use of supported versions such as SharePoint Server 2016, 2019, or Subscription Edition. - Install July 2025 Security Updates
Immediate application of the latest security updates is critical to preventing exploitation.- SharePoint Server 2019: KB5002741
- SharePoint Enterprise Server 2016: KB5002744
- Enable AMSI (Antimalware Scan Interface)
Microsoft recommends configuring AMSI integration with Defender Antivirus to detect and block malicious activities in real-time.- AMSI was enabled by default in the September 2023 security update for SharePoint Server 2016/2019.
- For environments where AMSI cannot be enabled, Microsoft advises disconnecting the affected servers from the internet until a fix is available.
- Deploy Microsoft Defender for Endpoint
Organizations should implement Defender for Endpoint or equivalent endpoint protection solutions to detect and contain post-exploitation activities. - Rotate ASP.NET Machine Keys and Restart IIS
After applying updates or enabling AMSI, it is essential to rotate the ASP.NET machine keys and restart IIS on all SharePoint servers to complete the security hardening process.- Use PowerShell (Update-SPMachineKey cmdlet) or Central Administration to trigger the key rotation.
- Restart using iisreset.exe after rotation.
Microsoft also mentioned that detection logs and additional telemetry can be monitored through Microsoft Defender Vulnerability Management for signs of exploitation attempts.
CISA Join in Coordinated Response
The FBI, in coordination with other agencies, is actively investigating the attacks. While no detailed statement was issued, the Bureau confirmed ongoing collaboration with public and private sector stakeholders to address the threat.
In parallel, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog, based on confirmed active exploitation. CISA emphasized that such vulnerabilities pose a serious risk to the federal enterprise and urged organizations to implement Microsoft’s recommended mitigations without delay.
SharePoint Online Not Affected
Microsoft confirmed that the attacks do not affect SharePoint Online, which is hosted in the cloud as part of Microsoft 365. Organizations using the cloud-based version can continue normal operations, though they are encouraged to stay informed about future threats.
Security Update Summary
| Product | KB Article | Fixed Build Number |
| SharePoint Server 2019 | KB5002741 | 16.0.10417.20027 |
| SharePoint Enterprise Server 2016 | KB5002744 | 16.0.5508.1000 |
| SharePoint Subscription Edition | KB5002768 | Security Update Released |
| SharePoint Server 2016 (Full Fix) | Pending | In progress |
Next Steps and Recommendations
Microsoft continues to assess the situation and has committed to updating its guidance as more information becomes available. Organizations running on-premises SharePoint servers should act immediately:
- Apply all recommended updates
- Enable protection tools and AMSI
- Rotate machine keys
- Monitor systems for signs of compromise
With active exploitation in progress, prompt action is essential to safeguard sensitive data and maintain system integrity.
