Microsoft SharePoint Zero-Day Vulnerabilities Under Active Exploitation
In July 2025, two critical zero-day vulnerabilities in Microsoft SharePoint—one enabling remote code execution and the other involving network spoofing—were confirmed as actively exploited around the globe, targeting organizations in government, telecommunications, finance, education, and healthcare sectors. Confirmed compromises number over 75 as of late July, spanning diverse verticals and geographies. Security agencies and Microsoft issued urgent calls to patch all vulnerable systems, citing the escalating sophistication and speed of exploitation.
Overview of the SharePoint Vulnerabilities
The two CVEs at the heart of the crisis, CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution), together permit a threat actor to gain unauthenticated administrative access to affected SharePoint Server environments. Successful exploitation enables attackers to execute arbitrary code, deploy webshells for persistent access, and laterally move to compromise connected applications and data within the Microsoft 365 ecosystem.
Active Exploitation and Attack Campaigns
Exploitation attempts were first detected on July 7, 2025, intensifying mid-month. Threat intelligence reports identified at least three distinct IP addresses coordinating attacks, with one linked to prior exploits against Ivanti EPMM appliances. The attackers utilized custom-built webshells, some previously unseen in the wild, to ensure stealthy and persistent access. Incidents revealed deployment of ransomware payloads and targeted exfiltration of sensitive enterprise documents and credentials.
Tactics and Technical Impact
Analysts observed sophisticated exploitation workflows: initial compromise occurred via chained spoofing and RCE; attackers established webshells and staged privilege escalation; subsequently, “ToolShell” scripts interfaced with SharePoint’s backend to enumerate files, intercept authentication tokens, and propagate laterally within internal networks.
The vulnerabilities, with CVSS scores of 9.8 and 7.1, represent an extreme risk as they bypass native SharePoint access controls and authentication checks. Organizations reported post-exploitation activities including credential dumping, manipulation of SharePoint configuration files, and use of compromised infrastructure for additional phishing campaigns.
Response, Guidance, and Mitigation
Microsoft and CISA released out-of-band updates and detailed technical guidance. Remediation steps recommended immediate application of vendor patches and rapid review of SharePoint and web server logs for signs of compromise. Incident response teams are urged to institute enhanced webshell detection and employ network segmentation to curb lateral movement. Security advisories emphasized the importance of monitoring for known attack indicators, implementing least privilege on SharePoint objects, and rotating administrative credentials as a precautionary step.
Implications and Continuing Developments
The SharePoint incident underscores the high value of enterprise content management platforms as attack targets and the increasing velocity with which adversaries retool to exploit newly disclosed vulnerabilities. Security researchers anticipate further ransomware and phishing waves leveraging similar TTPs, with persistent risk for organizations lagging in patch deployment. Continuous monitoring and rapid threat intelligence integration remain paramount as additional campaign details and exploit kits surface.
SysAid ITSM Flaws: Heightened Exploitation Threat
SysAid, a widely deployed IT service management platform, was found vulnerable to two critical security flaws—CVE-2025-2775 and CVE-2025-2776—that permit administrative takeover and arbitrary file read capabilities. Although patches were issued in March 2025, active exploitation was detected in July, prompting urgent warnings from U.S. federal cybersecurity authorities and aggressive deadlines for patching among government organizations.
Technical Nature of the Vulnerabilities
The flaws stem from improper XML input handling that fails to enforce boundary checks and authentication. Attackers can craft payloads allowing administrative privilege escalation, enabling control over the SysAid server, modification of service desk data, and exfiltration of sensitive IT operations information. In combination, the bugs may facilitate remote code execution scenarios, further raising the risk quotient.
Timeline of Exploitation and Discovery
While the vulnerabilities were patched in March, security researchers and government agencies, including CISA, found evidence of real-world exploits occurring throughout July as attackers reverse-engineered the publicly available patches to craft penetration tools. Exploit attempts targeted mostly organizations that had not yet implemented or tested the March updates, with attackers leveraging the flaws to pivot into internal networks and steal authentication tokens.
Mitigation Efforts and Security Posture Enhancement
The U.S. government mandated patch deployment on all systems by mid-August 2025 for affected agencies, underscoring the urgency. Security recommendations include comprehensive patch management practices, vigilant monitoring for anomalous file access and privilege escalation, and enhanced access restrictions on ITSM systems. Incident response guidelines further recommend audit log review and immediate isolation of exposed SysAid installations.
Broader Security Implications
This attack wave highlights the criticality of rapid patch management for widely used IT service management platforms. The scenario demonstrates the adversarial trend of weaponizing newly disclosed flaws absent rapid enterprise response, emphasizing the necessity for organizations to constantly align patch cycles with vendor notifications and federal security directives.