Microsoft on Sunday issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. To be clear, this is applicable to those with SharePoint on premise. In an advisory, Microsoft said this:
We are working on security updates for supported versions of SharePoint 2019 and SharePoint 2016. Please check this blog for updates.
To mitigate potential attacks customers should:
- Rotate SharePoint Server ASP.NET machine keys
- Use supported versions of on-premises SharePoint Server
- Apply the latest security updates, including the July 2025 Security Update
- Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
- Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
The Washington Post is reporting that the U.S. government and partners in Canada and Australia are investigating this situation.
Andrew Obadiaru, CISO, Cobalt, an offensive security company, had this to say:
“Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. The challenge isn’t just patching—it’s that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defense strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today’s threat landscape, reactive security alone is a losing game.”
If you’re a SharePoint on premise user, drop what you are doing and patch your SharePoint instance to make sure that you don’t get pwned or you have not already been pwned seeing as this is an actively exploited exploit. Because this is a today problem to say the least.
UPDATE: Adrian Culley, Senior Sales Engineer, SafeBreach had this to say:
“This CVE represents a critical security incident: it was exploited as a zero-day vulnerability in active attacks against production systems before any patches were available—the most severe type of threat organizations face. The absence of a single remediation patch further complicates the situation. Microsoft has taken the unusual step of advising organizations to assume compromise and conduct thorough investigations to verify their security posture—language that underscores the severity of this vulnerability.
SharePoint Server 2016 environments face particular challenges, as no immediate technical remediation is available. Organizations must rely on breach and attack simulation exercises alongside their existing security controls to assess exposure. Proactive defense requires targeted hardening measures and resilience improvements to prevent falling victim to this sophisticated attack vector.”
Related
This entry was posted on July 21, 2025 at 1:18 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Pushed Out An Emergency Fix On Sunday For An Actively Exploited SharePoint Vulnerability
Microsoft on Sunday issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. To be clear, this is applicable to those with SharePoint on premise. In an advisory, Microsoft said this:
We are working on security updates for supported versions of SharePoint 2019 and SharePoint 2016. Please check this blog for updates.
To mitigate potential attacks customers should:
The Washington Post is reporting that the U.S. government and partners in Canada and Australia are investigating this situation.
Andrew Obadiaru, CISO, Cobalt, an offensive security company, had this to say:
“Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. The challenge isn’t just patching—it’s that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defense strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today’s threat landscape, reactive security alone is a losing game.”
If you’re a SharePoint on premise user, drop what you are doing and patch your SharePoint instance to make sure that you don’t get pwned or you have not already been pwned seeing as this is an actively exploited exploit. Because this is a today problem to say the least.
UPDATE: Adrian Culley, Senior Sales Engineer, SafeBreach had this to say:
“This CVE represents a critical security incident: it was exploited as a zero-day vulnerability in active attacks against production systems before any patches were available—the most severe type of threat organizations face. The absence of a single remediation patch further complicates the situation. Microsoft has taken the unusual step of advising organizations to assume compromise and conduct thorough investigations to verify their security posture—language that underscores the severity of this vulnerability.
SharePoint Server 2016 environments face particular challenges, as no immediate technical remediation is available. Organizations must rely on breach and attack simulation exercises alongside their existing security controls to assess exposure. Proactive defense requires targeted hardening measures and resilience improvements to prevent falling victim to this sophisticated attack vector.”
Share this:
Like this:
Related
This entry was posted on July 21, 2025 at 1:18 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.