Palo Alto Networks’ Unit 42 is tracking high-impact, ongoing threat activity targeting on-premises Microsoft SharePoint servers. While cloud environments remain unaffected, on-premises SharePoint deployments — particularly within government, schools, healthcare (including hospitals) and large enterprise companies — are at immediate risk.
CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771 may be chained together, which can allow unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
In addition to the CVE reports, Microsoft has released further guidance on these vulnerabilities. The vulnerabilities, their CVSS scores and their descriptions are detailed in Table 1.
CVE Number Description CVSS Score
CVE-2025-49704
Improper control of generation of code (code injection) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. 8.8
CVE-2025-49706
Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. 6.5
CVE-2025-53770
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. 9.8
CVE-2025-53771
Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. 6.5
Table 1. List of recent vulnerabilities affecting Microsoft SharePoint.
These vulnerabilities all apply to Microsoft SharePoint Enterprise Server 2016 and 2019. CVE-2025-49706 and CVE-2025-53770 also apply to Microsoft SharePoint Server Subscription Edition. Microsoft has stated that SharePoint Online in Microsoft 365 is not impacted.
We are currently working closely with the Microsoft Security Response Center (MSRC) to ensure that our customers have the latest information and we are actively notifying affected customers and other organizations. This situation is evolving rapidly, so it’s advisable to check Microsoft’s recommendations frequently.
We have observed active exploitation of these SharePoint vulnerabilities. Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys.
The attackers have leveraged these vulnerabilities to get into systems and in some cases are already establishing their foothold. If you have SharePoint on-premises exposed to the internet, you should assume that you have been compromised. Patching alone is insufficient to fully evict the threat.
We are urging organizations who are running vulnerable on-premises SharePoint to take the following actions immediately:
• Apply all relevant patches now and as they become available
• Rotate all cryptographic material
• Engage professional incident response
