Microsoft SharePoint under ‘active exploitation,’ Homeland Security’s CISA says

(NEW YORK) — The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has posted an alert saying it is aware of “active exploitation” of a new vulnerability to Microsoft SharePoint “enabling unauthorized access to on-premise SharePoint servers.”

The exploitation activity “provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” the post stated.

“The FBI is aware of the matter, and we are working closely with our federal government and private sector partners,” the bureau said in a statement.

According to a Microsoft customer guidance blog post issued Saturday, “Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

“These vulnerabilities apply to on-premises SharePoint Servers only,” the post added and “SharePoint Online in Microsoft 365 is not impacted.”

A company spokesperson said the company has been “coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.”

“While the scope and impact continue to be assessed,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement, “the new common vulnerabilities and exposure (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.”

CISA was “made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” the statement said. “Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.”

Eye Security, a cybersecurity firm, says it “identified active large-scale exploitation” of the new vulnerability “being used in the wild” on SharePoint servers across the world and discovered “dozens of systems actively compromised,” according to a blog post on the firm’s website. The breaches “probably” began on the evening of July 18.

According to a post by Palo Alto Networks Unit 42, a threat research and security consulting firm, “These flaws allow unauthenticated attackers to access restricted functionality.”