Security Alert: Active Exploits Target On-Premises SharePoint Servers
Immediate action required to protect against four CVEs, including newly disclosed vulnerabilities
Microsoft has confirmed active attacks targeting on-premises SharePoint servers, exploiting four vulnerabilities:
- CVE-2025-49706 (spoofing)
- CVE-2025-49704 (remote code execution)
- CVE-2025-53770 and CVE-2025-53771 (new disclosures)
Key facts:
- Only on-premises SharePoint installations are affected.
- SharePoint Online (Microsoft 365) is not impacted.
- Security updates are available for SharePoint Server Subscription Edition, 2019, and 2016.
- Microsoft urges customers to apply the July 2025 security update without delay.
Subscribe to our newsletter and keep up to date...
Recommended actions:
To reduce risk, organisations should ensure they are using supported versions of SharePoint Server and have applied the July 2025 security update. It’s also essential to confirm that Antimalware Scan Interface (AMSI) is enabled and correctly configured alongside a recognised antivirus solution such as Microsoft Defender. Additionally, rotating the ASP.NET machine keys for SharePoint Server and deploying endpoint protection, such as Microsoft Defender for Endpoint, will strengthen your overall security posture. Continued monitoring of Microsoft’s Security Response Centre and Threat Intelligence blogs is advised for evolving guidance and detection updates.
We’re actively supporting organisations in reviewing their SharePoint environments and applying the latest updates. If you’re unsure about your current position or need assistance, get in touch with our team.