Microsoft SharePoint Zero-Day Vulnerabilities Exploited in Active Campaigns
A wave of severe attacks targeting Microsoft SharePoint servers has impacted organizations across North America and Europe since early July 2025. Exploitation involves a chain of vulnerabilities—one enabling unauthenticated remote code execution (RCE) and another allowing network spoofing—allowing attackers to gain broad, persistent access, exfiltrate data, and in the latest cases, deploy ransomware and new webshell variants. Microsoft and multiple national cyber agencies have issued urgent patching advisories as incidents escalate and threat actor tactics evolve.
Technical Analysis of the Vulnerability Chain
The vulnerability chain consists of CVE-2025-49704 (RCE) and CVE-2025-49706 (network spoofing). Attackers leverage the spoofing flaw to bypass authentication mechanisms, effectively gaining access as if from inside a trusted network. They then deploy the RCE exploit, which allows them to run arbitrary code with full administrative privileges. This method circumvents existing SharePoint security controls and exposes sensitive organizational data, configurations, and file systems to compromise.
Detection and Techniques Observed in the Wild
Campaigns began as early as July 7, 2025, with incident volumes intensifying mid-month. Check Point and CISA report that government, telecom, healthcare, banking, university, and enterprise environments have all been affected. Attackers use a mix of known webshells (such as .aspx and executable .exe files) alongside newer payloads, including .dll dynamic link libraries, to establish long-term presence after initial exploitation. Recent incidents include file encryption and affiliated Warlock ransomware deployment.
Threat Actor Attribution and Tactics
Multiple IP addresses, including those already linked to previous supply chain attacks (such as exploits of Ivanti Endpoint Manager Mobile vulnerabilities), have been observed in these attacks. The campaigns involve both state-aligned and financially motivated actors, with some custom tailoring of exploits to specific SharePoint deployments. This widespread exploitation campaign is notable for its technical sophistication and rapid evolution in attacker tactics, techniques, and procedures.
Impact and Response
More than 75 organizations—including banks, hospitals, universities, and public agencies—have been confirmed compromised so far. The attackers can harvest SharePoint keys, access file storage linked through Microsoft 365 integrations (such as Word and Teams), and deploy malware or ransomware that disrupts critical business operations. CISA and Microsoft urge all organizations running on-premise SharePoint to patch immediately and review server logs for evidence of unauthorized access, exploitation, or new webshell activity. Enhanced monitoring for unusual outbound connections and ransomware indicators is advised.
Emergence of Ransomware and New Webshells
The latest wave of attacks is marked by the combined use of traditional webshells for command-and-control and the deployment of new file types (notably .dll payloads). Evidence has emerged of files being encrypted and the Warlock ransomware being distributed to compromised SharePoint environments, signaling that threat actors are not only after data theft and persistent access but are also seeking direct financial gain via extortion. Ransomware actions are typically preceded by wide-reaching reconnaissance and data collection phases, and organizations are recommended to prioritize incident response plan reviews in light of evolving attack methodologies.
Patching and Security Recommendations
Microsoft’s July 2025 Patch Tuesday release includes security updates addressing both identified CVEs. Security agencies strongly recommend immediate application of these patches on all affected SharePoint server environments. Additional recommended actions include comprehensive monitoring of server logs, hunting for suspicious webshell and DLL activity, enforcing strong network segmentation, and updating access controls on SharePoint integrations with broader Microsoft 365 tools to minimize further exposure.