Urgent Global Exploitation of Microsoft SharePoint Zero-Day Vulnerabilities Triggers Widespread Patching
A series of newly discovered critical vulnerabilities in on-premises Microsoft SharePoint servers are being aggressively exploited globally, with reports of hundreds of organizations compromised—including government, nuclear, telecommunications, and enterprise sectors. The campaign, traced back to early July 2025, represents a sophisticated and coordinated effort involving Chinese nation-state actors, ransomware affiliates, and the deployment of advanced attack techniques. Urgent patching is advised for all vulnerable SharePoint deployments, as sector-wide compromise and data theft continue to escalate.
Active Exploitation Timeline and Targeted Sectors
The vulnerability exploitation began as early as July 7, 2025, initially detected against a major Western government. Throughout mid and late July, the attacks broadened to include numerous targets in North America and Western Europe, spanning critical infrastructure, telecom, software firms, and government bodies. The rapid proliferation has placed thousands of organizations at immediate risk of data breach, ransomware infection, and potential operational disruption.
Technical Details: Vulnerabilities and Exploitation Mechanics
The vulnerabilities, tracked as CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771, exist in supported on-premises SharePoint Server editions (Subscription Edition, 2019, and 2016). The attack surface is restricted to on-premises deployments—SharePoint Online is not affected. Exploitation techniques include chaining authentication bypasses with remote code execution, permitting attackers to gain administrative control and implant payloads such as ransomware. Initial access vectors utilized malicious payload delivery from previously malicious infrastructure associated with high-profile vulnerabilities in other enterprise appliances.
Aggressor Identification and Tactics
Cyber threat intelligence has linked the attacks to Chinese nation-state groups Linen Typhoon and Violet Typhoon. In addition, the financially motivated group Storm-2603 has been deploying the Warlock ransomware variant via these vulnerabilities. Attackers demonstrated significant operational capability, with multifaceted intrusion techniques and rapid adaptation to defender countermeasures. IP infrastructure employed in the attacks shows overlap with earlier campaigns targeting Ivanti Endpoint Manager Mobile, confirming cross-campaign resourcing and a highly active threat ecosystem.
Threat Response and Remediation Guidance
U.S. and international cyber agencies have issued urgent alerts, advising expedited implementation of vendor-provided security updates. Incident response teams are advised to review system event logs for signs of compromise, including abnormal authentication events and unauthorized deployments. Organizations are recommended to:
- Apply the latest SharePoint security updates to all supported on-premises versions without delay.
- Audit external access to SharePoint infrastructure and implement network segmentation wherever feasible.
- Hunt for Indicators of Compromise (IoCs) associated with the identified vulnerabilities and attack TTPs.
- Monitor for ransomware-related activity, as several actor groups are leveraging the window between disclosure and patch adoption.
Strategic Impact
This exploitation campaign underscores ongoing risks inherent to unpatched enterprise collaboration platforms and the value such assets hold for both espionage and financially motivated attackers. The scale and technical proficiency of these attacks highlight the urgent need for rapid patching processes and improved monitoring around critical internal collaboration tools.