Authorities and researchers are sounding the alarm over the active mass exploitation of a high-severity vulnerability in Microsoft SharePoint Server that’s allowing attackers to make off with sensitive company data, including authentication tokens used to access systems inside networks. Researchers said anyone running an on-premises instance of SharePoint should assume their networks are breached.
The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the vulnerability, which affects SharePoint Servers that infrastructure customers run in-house. Microsoft’s cloud-hosted SharePoint Online and Microsoft 365 are not affected.
Not your typical webshell
Microsoft confirmed the attacks on the then-zero-day exploit on Saturday. A day later, the company updated the post to make available an emergency update patching the vulnerability, and a related one tracked as CVE-2025-53771, in SharePoint Subscription Edition and SharePoint 2019. Customers using either version should apply the updates immediately. SharePoint 2016 remained unpatched at the time this Ars post went live. Microsoft said that organizations using this version should install the Antimalware Scan Interface.
