Microsoft has warned of active attacks exploiting a critical zero‑day vulnerability in on‑premises SharePoint Server discovered by security researchers at Eye Security on July 18, 2025. The flaw enables unauthenticated actors to access certain server versions and extract keys that allow them to impersonate users or services even after a server reboot or patch application.
How the vulnerability works
The exploit combines two bugs first demonstrated at the Pwn2Own contest in May. Attackers can send specially crafted requests to a vulnerable SharePoint instance that trigger deserialization of untrusted data. This grants remote code execution and access to cryptographic material used by the server. Once the keys are stolen, attackers can maintain persistence on the network despite remediation efforts.
Risk to connected services
Many organizations link their on‑prem SharePoint servers to other Microsoft products such as Outlook Teams and OneDrive. An attacker with stolen credentials can move laterally across these platforms, harvesting sensitive data and escalating privileges. Cloud-based SharePoint in Microsoft 365 is not affected by this zero‑day.
Available patches and timeline
Microsoft has released security updates that fully protect SharePoint 2019 and SharePoint Subscription Edition servers. A patch for SharePoint 2016 is in final testing and expected soon. Administrators should apply the latest updates immediately and confirm successful installation.
Urgent mitigation advice
Cybersecurity and Infrastructure Security Agency suggests turning off the affected servers to the internet when no enterprising solution has been implemented. Organizations that cannot install updates must at least block ports that SharePoint uses and keep track of logs where unexpected activity is detected.
Known victims and scope
Identified victims are USA federal and state agencies, universities, energy providers, and an Asian telecommunications company. These developers caution that other parts of the world are still vulnerable to tens of thousands of SharePoint implementations.
Next steps for defenders
Security teams should retrieve indicators of compromise from Eye Security’s analysis and hunt for the malicious ASPX payload and unusual HTTP referer values. Logs around the ToolPane endpoint merit careful review. Applying the published mitigations and conducting thorough forensic exams are essential to clear any lingering backdoors.
The fact that this zero-day remained persistent highlights the importance of minute monitoring and quick patching in on-prem infrastructures. Companies have to experience this vulnerability as the highest priority in order to avoid further loss of data and disruption of services.
