Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to access restricted functionality and execute arbitrary commands. Active exploitation has been observed, with attackers bypassing identity controls, exfiltrating data, deploying backdoors, and stealing cryptographic keys. Affected organizations are urged to immediately disconnect vulnerable servers, apply patches, rotate cryptographic material, and engage professional incident response. The vulnerabilities impact SharePoint Enterprise Server 2016 and 2019, with some also affecting SharePoint Server Subscription Edition. Cloud-based SharePoint is not affected. Author: AlienVault
Related Tags:
on-premises
microsoft sharepoint
cve-2025-49706
cve-2025-49704
cve-2025-53770
cve-2025-53771
T1021.006
exploitation
T1059.001
Associated Indicators:
92BB4DDB98EEAF11FC15BB32E71D0A63256A0ED826A03BA293CE3A8BF057A514
66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082
FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7
33067028E35982C7B9FDCFE25EB4029463542451FDFF454007832CF953FEAF1E
F5B60A8EAD96703080E73A1F79C3E70FF44DF271
8334ED80190F525522FB47E72927F389B1680EE1
02B4571470D83163D103112F07F1C434
90F71CB5DF71AE3845FF81EDD776B287
154.223.19.106