Microsoft Scrambles to Contain New SharePoint Zero-Day Attacks as Exploits Surge

Two newly discovered zero-days are hitting SharePoint hard, with active attacks unfolding globally. At least 85 servers have already been breached, and the patches aren’t all here yet.

Microsoft confirmed over the weekend that two high-severity zero-day flaws—CVE-2025-53770 and CVE-2025-53771—are under active exploitation. These vulnerabilities are specifically targeting on-premise SharePoint servers and seem to bypass fixes Microsoft had only just rolled out earlier this month. With over 85 servers already compromised, security teams are racing against time.

The company has issued a partial fix, but as of now, SharePoint 2016 and 2019 customers are still waiting on a complete update. Subscription Edition users, at least, can breathe slightly easier thanks to an emergency patch released Saturday.

July Fixes Already Bypassed

Back in May, security researchers from Viettel Cyber Security successfully demonstrated a SharePoint attack at Pwn2Own Berlin, exploiting CVE-2025-49704 and CVE-2025-49706. That demonstration, nicknamed “ToolShell,” gained attention for its ability to execute remote code with frightening precision.

Microsoft patched both those flaws during its regular July Patch Tuesday.

But the relief didn’t last long.

Just days after those updates rolled out, attackers began exploiting two new bugs that cleverly sidestep those very patches. Microsoft confirmed in a blog post late Friday that the new zero-days—CVE-2025-53770 and CVE-2025-53771—essentially act as bypasses for the May vulnerabilities.

Exploits Targeting On-Premise Servers Only

This wave of attacks appears laser-focused on on-premise deployments.

“These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted,” Microsoft clarified.

This matters. While many organizations have moved to the cloud, a significant number—particularly in government, defense, and finance—still run SharePoint on local infrastructure for security and compliance reasons.

That’s the segment now under siege.

Microsoft’s telemetry and external incident reports confirm that these zero-days have been used in the wild since at least July 18. And that’s just what’s confirmed. It’s likely attackers were probing for much longer.

Mitigations and What Works (And What Doesn’t)

As a stop-gap, Microsoft released update KB5002768 for SharePoint Subscription Edition, including “more robust protections” compared to July’s original fixes. But customers running SharePoint 2016 and 2019 are left in limbo—for now.

What should administrators do in the meantime?

Microsoft’s guidance includes a mix of technical and procedural defenses:

• Install the latest SharePoint security updates immediately

• Enable AMSI (Antimalware Scan Interface) integration in SharePoint

• Deploy Microsoft Defender Antivirus on all SharePoint servers

These mitigations won’t patch the flaws, but Microsoft claims they can prevent unauthenticated remote code execution in most attack scenarios.

Short pause, small paragraph:
That’s a big deal for systems without a patch.

AMSI isn’t new, but Microsoft says its integration into SharePoint has improved drastically since the September 2023 updates and the 23H2 feature pack. It inspects scripts in memory, a common attack vector for obfuscated payloads.

Microsoft urges all SharePoint admins to rotate their ASP.NET machine keys. This can block threat actors from leveraging compromised tokens for continued access post-update.

Two Zero-Days, One Root Cause?

Security experts are pointing to a pattern. The fact that these new zero-days directly relate to CVE-2025-49704 and CVE-2025-49706 suggests attackers have deep knowledge of Microsoft’s codebase—or reverse-engineered the July patches effectively.

“This isn’t a coincidence. It’s evolution,” said one researcher familiar with the ToolShell exploit.

Here’s what the timeline looks like so far:

Experts believe these bugs may stem from incomplete logic checks or improperly scoped patch conditions. Either way, the technical overlap raises serious concerns about Microsoft’s patch validation process.

What’s at Risk—and What’s Next?

This isn’t just a SharePoint issue—it’s a software supply chain risk.

On-premise SharePoint servers often serve as collaboration hubs tied directly into larger enterprise networks. If compromised, they can provide attackers with lateral access to internal systems, Active Directory, file storage, and more.

A single compromised server might be the first domino.

So far, the 85 compromised instances span across Europe, North America, and parts of Asia. It’s a mix of governments, academic institutions, and enterprise firms. Microsoft hasn’t revealed the exact breakdown but says the situation is “evolving.”

And here’s the kicker—patches for SharePoint 2016 and 2019 are still “in development.” That leaves a window of exposure that could last days or even weeks.

That’s a nerve-wracking delay for IT departments already stretched thin.

A Familiar Frustration

This latest incident has reignited frustrations over Microsoft’s patching strategy. Critics argue the company too often leaves older but still-supported products behind in its scramble to protect the latest versions.

And let’s not forget: SharePoint 2016 and 2019 are still under mainstream support.

The absence of same-day patches for those editions, while SE gets a fix within 48 hours, has prompted fresh complaints from longtime customers. On forums and private Slack channels, IT admins are venting—many are just now recovering from earlier Exchange and Outlook vulnerabilities patched this year.

And as one sysadmin bluntly posted:
“It’s like patching a roof after the storm already hit.”