Microsoft SharePoint Zero-Day Vulnerabilities Exploited in Widespread Attacks
In July 2025, multiple zero-day vulnerabilities affecting Microsoft SharePoint Server environments have come under active exploitation by threat actors, putting a broad spectrum of organizations at immediate risk. These vulnerabilities, recently disclosed and rapidly leveraged by attackers, enable unauthenticated remote code execution and elevated privileges, greatly amplifying the risk to enterprises relying on SharePoint for collaboration and data management.
Active Exploitation Targeting Critical Infrastructure
Over 75 confirmed incidents as of this month involve attacks on banks, universities, hospitals, corporate enterprises, and public agencies across North America and Europe. Attackers are exploiting a pair of vulnerabilities, rated 9.8 (remote code execution) and 7.1 (administrative privilege escalation) on the CVSS scale, to bypass existing security controls. The vulnerabilities are now tracked as CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing), which Microsoft and CISA both identify as especially urgent for remediation.
In several reported compromises, adversaries have installed webshells—malicious scripts granting persistent remote access—facilitating follow-on activities such as lateral movement, data exfiltration, or, in several recent cases, ransomware deployment. Evidence points to sophisticated tailoring of exploit payloads to bypass SharePoint’s built-in defenses and evade detection by security solutions.
Security Community Response and Guidance
Microsoft has released security patches as part of its latest Patch Tuesday, and both Microsoft and CISA urge all SharePoint customers to apply updates immediately. CISA continues to update detection guidance as threat actors refine their tactics, providing indicators of compromise for organizations to monitor. Notably, guidance also clarifies attacker use of new webshell variants—requiring defenders to update detection signatures and enhance endpoint monitoring.
Due to SharePoint’s centrality within Microsoft 365 environments, compromise of a single instance presents significant systemic risk, potentially exposing enterprise-wide document repositories, workflows, and sensitive communications. Organizations are advised to not only patch affected systems promptly but also audit existing deployments for unusual logins, unexplained file modifications, and unauthorized administrative actions.
Technical Implications of the Exploits
The remote code execution vulnerability allows unauthenticated attackers to run arbitrary code in the context of SharePoint’s privileged processes—a scenario which could see attackers pivoting deeper into internal networks. Combined with the concurrent spoofing vulnerability, malicious actors can construct attacks that disguise their activity, undermining logging and audit trails. Advanced persistent threat (APT) groups are reportedly employing the vulnerability chain for both initial compromise and privilege escalation within target environments.
These developments underscore the evolving risks posed by zero-day exploitation in business-critical collaboration platforms. Security teams are encouraged to confirm patch application, enhance log retention for forensic review, and conduct post-update vulnerability assessments to identify latent compromise.
Citrix NetScaler “Citrix Bleed 2” Flaw Under Active Exploitation Globally
A newly discovered and actively exploited vulnerability in Citrix NetScaler, informally dubbed “Citrix Bleed 2,” is raising alarm following reports of successful breaches involving authentication bypass—even when multifactor authentication (MFA) is enabled. This flaw is reminiscent of previous critical Citrix bugs and threatens organizations relying on NetScaler for secure application delivery and remote access.
Technical Details and Impact Scope
The Citrix Bleed 2 flaw enables remote attackers to bypass authentication protocols on vulnerable NetScaler appliances. Once authenticated, adversaries can potentially access internal resources, exert control over application delivery, and harvest sensitive enterprise credentials. The vulnerability’s severity increases significantly due to its capacity to circumvent MFA safeguards, a control generally considered an industry-standard defense.
Enterprises deploying NetScaler, particularly in edge-facing or hybrid cloud architectures, are strongly urged to review Citrix’s advisory and deploy available security patches or mitigations. Attackers exploiting this vulnerability have demonstrated the capability to move laterally into internal networks, leveraging compromised appliances as launch points for broader campaigns, including data theft or sabotage operations.
Response by Security Agencies and Recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent recommendations for immediate action. Organizations are advised to review all NetScaler configurations for anomalous administrative access, incomplete connection logs, or unexplained configuration changes—common indicators of exploit activity. Additional hardening such as network segmentation and restriction of administrative interfaces to internal-only access is suggested to further mitigate risk pending full remediation.
Outlook for Affected Organizations
Exploitation reports indicate that both targeted and opportunistic attacks are underway. With NetScaler a widely-deployed application delivery controller for critical business functions, even short-lived compromise can have disproportionate consequences—resulting in potential data loss, reputational harm, or disruption of mission-critical services. Timely patch application and proactive threat hunting are required to reduce dwell time and impact.