Severe Microsoft SharePoint Vulnerabilities Exploited in Ongoing Campaigns
July 2025 saw two critical zero-day vulnerabilities in Microsoft SharePoint actively exploited by multiple threat actors worldwide. Attackers utilized both a remote code execution vulnerability and a network spoofing flaw to compromise systems, with incidents ranging from ransomware deployment to full administrative takeovers. The attacks have impacted a cross-section of industries including finance, healthcare, education, and government.
Technical Vulnerability Details and Attack Vectors
The two vulnerabilities—assigned CVEs CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing)—together enable unauthenticated attackers to gain control over on-premises SharePoint servers. The chain, often referenced as “ToolShell” in recent advisories, allows adversaries to access all content stored within SharePoint collections and escalate privileges for deeper network exploitation. Both flaws scored very high on industry severity scales, with CVSS ratings of 9.8 and 7.1, respectively.
In technical terms, CVE-2025-49704 allows a threat actor to execute arbitrary code as SYSTEM on a targeted SharePoint host. CVE-2025-49706, a spoofing vulnerability, can be chained with the RCE exploit to bypass authentication checks, facilitating stealthy and persistent access. Attackers first leverage the spoofing vector to impersonate network entities or users, then upload malicious webshells in the form of .aspx, .exe, or .dll payloads—vectors rarely observed in less sophisticated attacks. Upon successful exploitation, adversaries gain total control over the file system, internal configurations, and user credential stores.
Observed Exploits and Advanced Threat Tactics
Microsoft, CISA, and multiple private cybersecurity firms have issued alerts as these vulnerabilities have been exploited in the wild since early July 2025. The scope of the exploitation is significant, with over 75 confirmed breaches across North America and Europe as of late July. Especially notable is the deployment of the Warlock ransomware on compromised systems, marking a shift from reconnaissance and lateral movement to direct monetization via file encryption and extortion tactics. The presence of non-standard webshells such as .dll-based payloads illustrates the evolving sophistication of attacker tradecraft.
A China-affiliated threat actor designated “Storm-2603” is one of the primary groups leveraging these vulnerabilities. The group’s objectives appear to be multifaceted, including both cyber-espionage and ransomware operations. The attackers maintained persistence on networks using custom webshells, exfiltrated sensitive data, and in several cases pivoted to deploy additional malware including backdoors and remote access Trojans designed to evade detection and facilitate long-term access.
Mitigation and Patch Guidance
Microsoft has urgently released out-of-band security updates and corresponding mitigation advisories. All affected users, especially those running on-premise or hybrid SharePoint Server environments, are instructed to apply the latest patches immediately. Organizations should also review internal logs for suspicious .aspx, .exe, and .dll files recently uploaded to SharePoint directories, and strengthen network monitoring for unusual authentication events. Detection logic has also been updated by both Microsoft and government agencies to better identify variations of the attack. In high-exposure cases, full incident response investigations are warranted, including reset of credentials and validation of domain controller integrity.
Failure to remediate these flaws can result in loss of control over critical business data, further ransomware deployments, or extensive regulatory consequences—especially for organizations in regulated industries such as healthcare and finance.