A new cybersecurity threat is hitting Microsoft SharePoint servers, and U.S. authorities say it’s already being exploited.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) confirmed “active exploitation” of a serious SharePoint vulnerability that allows attackers full, unauthenticated access to on-premise servers.
This flaw, tracked as CVE-2025-53770, lets bad actors access sensitive files and system configurations—and even execute code remotely. “Malicious actors can fully access SharePoint content, including file systems and internal configurations,” the alert stated.
The FBI is involved and confirmed it’s working closely with federal and private partners to address the threat.
According to Microsoft, the issue affects only on-premise SharePoint Server setups. Cloud-hosted SharePoint Online, part of Microsoft 365, is not impacted.
Microsoft said it is aware of the attacks and working with CISA, the Department of Defense’s Cyber Defense Command, and other cybersecurity groups to contain the risk. The flaw is described as a variant of a previously disclosed issue, CVE-2025-49706, but with broader impact.
CISA’s Chris Butera confirmed that Microsoft has responded swiftly. “We are working with the company to help notify potentially impacted entities about recommended mitigations,” he said.
Cybersecurity firm Eye Security added urgency to the alert. In a blog post, the firm said it detected “large-scale exploitation” and “dozens of systems actively compromised.” The attacks likely began on July 18.
Palo Alto Networks’ Unit 42 backed these findings, warning that “unauthenticated attackers” could access restricted areas of SharePoint environments.
Companies running SharePoint on local servers are urged to update their systems immediately and follow Microsoft’s mitigation guidance. Leaving this unpatched creates a high risk of data breaches or more severe network compromise.
