Security alert: New attacks target on-premises SharePoint servers

Microsoft is aware of active attacks targeting on-premises SharePoint servers through four vulnerabilities: CVE-2025-49706 (spoofing), CVE-2025-49704 (remote code execution), and two newly disclosed vulnerabilities—CVE-2025-53770 and CVE-2025-53771.

These vulnerabilities apply to on-premises SharePoint servers only. SharePoint Online in Microsoft 365 is not impacted.

Microsoft has released security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these vulnerabilities.

Customers should apply these updates immediately to ensure they’re protected. 

To mitigate potential attacks, advise your customers to:

·         Use supported versions of on-premises SharePoint Server.

·         Apply the latest security updates, including the July 2025 security update.

·         Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution, such as Microsoft Defender Antivirus.

·         Deploy Microsoft Defender for Endpoint protection or equivalent threat solutions.

·         Rotate SharePoint Server ASP.NET machine keys.

Review the Microsoft Security Response Center (MSRC) blog post for updates and detailed guidance on the above actions, as well as detection, protection, and threat hunting.