SharePoint Zero-Day Attack – Is Your Business at Risk?

A critical zero-day vulnerability in Microsoft SharePoint On-Premises is currently being actively exploited, meaning your on-prem server could be at risk. It’s suspected that at least 400 organisations have already been targeted since last weekend. If your company still hosts SharePoint 2016, 2019, or the Subscription Edition on its own servers, immediate action is required.  

Although Microsoft communications have only highlighted these versions as vulnerable, there is also a strong possibility that the unsupported SharePoint 2010 and 2013 versions are also being affected, as these legacy systems have less up to date security and patching. Therefore, if you currently have any version of SharePoint on-prem running, we strongly recommend that you take immediate action. 

If your business runs the cloud-based version, SharePoint Online, you are not affected by this vulnerability.  

The Vulnerability Explained 

Two newly identified common vulnerabilities and exposures (CVEs), tracked as CVE-2025-53770 and CVE-2025-53771, are currently being exploited and allowing attackers to execute malicious code remotely on on-premises SharePoint servers. The vulnerability allows attackers to send specially crafted web requests that, if successful, let them run any code they choose, effectively bypassing authentication altogether. This means a hacker can completely take control of your server without even needing to log in. This type of threat is called a Remote Code Execution (RCE) attack, and it can be detrimental if not dealt with quickly.  

Once attackers gain access, they often try to remain undetected, gathering data, monitoring internal activity, or installing backdoors for future access. Businesses may not even notice right away, so it’s crucial to look for signs like: 

• Unusual entity behaviour such as suspicious logins, unknown processes running, and attempted external callouts from internal only systems. 

• Services stopping for long periods of time 

• Slow server performance 

• Suspicious network activity 

Mitigation Steps 

These attacks remain active since July 18, 2025. Businesses that delay mitigation may be at high risk of compromise, so it’s important to do what you can in the meantime to protect your business. Microsoft has recommended carrying out the below mitigation measures.  

1. Upgrade to a Supported Version of SharePoint On-Prem 

Microsoft has released new security updates for all affected versions of SharePoint Server (SharePoint 2016, 2019, and SharePoint Subscription Edition) to help protect customers against these vulnerabilities. These updates should be applied immediately to secure systems. 

2. Enable Antimalware Scan Interface (AMSI) 

Antimalware Scan Interface integrates with your antivirus to scan scripts running on your server and flag potentially harmful activity. AMSI can be an effective defence against this kind of attack. Organisations should configure AMSI integration in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers to stop unauthenticated attackers from exploiting vulnerabilities.  

If you cannot enable AMSI, Microsoft recommends disconnecting your server from the internet until you have applied the latest security update. If the server can’t be disconnected from the internet, businesses should consider using a VPN or proxy requiring an authentication gateway to limit unauthenticated traffic. 

3. Strengthen Visibility and Detection 

Building out detection capabilities is crucial for effectively protecting your environment. Think of your detection mechanism as the castle of your cybersecurity system. Operating at the centre of your digital environment, it provides visibility over your entire estate so you know what’s going on and can clearly see any suspicious activity and respond accordingly. A SIEM (security information and event management system) like Microsoft Sentinel can help you monitor and analyse large amounts of security data across your entire estate to ensure any potential threats are detected and contained as quickly as possible. 

4. Install Microsoft Defender for Endpoint 

Microsoft Defender for Endpoint provides visibility into suspicious server activity and provides real-time alerts. As well as this, Defender identifies and blocks threats in real-time with its advanced machine learning algorithms and behavioural analysis capabilities. It’s particularly helpful if you suspect a compromise may have already occurred, as it will allow you to detect and block activity post-exploit. 

5. Restrict Server Access 

Limit access to your organisation’s server and apply Principle of Least Privilege. Use network segmentation - place your SharePoint server in a demilitarized zone (DMZ) or isolated network area to prevent lateral movement if attackers get in. 

Building Resilience Against Future Threats 

Although taking these mitigation steps will help protect your environment against the current threat, it’s important to build out a long-term cybersecurity strategy to protect against an everchanging threat landscape. If your business is still managing the risk of on-premises solutions with end-of-life soon approaching, it may be time to consider migrating to SharePoint Online or another cloud-based collaboration platform. Microsoft’s cloud infrastructure receives regular security updates and controls to ensure an effective foundational security base, allowing you to continue to build on this foundation to mitigate data breach risk. While moving to the cloud isn’t a complete guarantee against cyberattacks, it does reduce much of the burden of patching and vulnerability management. For many businesses, the added security, oversight and reliability of cloud services is worth the transition. 

Otherwise, if your business chooses to continue using SharePoint on-premises, it’s critical to invest in: 

• Strong endpoint security 

• Timely patching policies 

• DNS filtering and logging 

• Limited permissions and access (Principle of Least Privilege) 

• Staff training on security awareness 

This SharePoint on-premises vulnerability is serious and actively being exploited. Take the proactive steps now to secure your systems, limit exposure, and ensure your business is prepared, both for this incident and any others that may occur down the line. 

Speaking on the situation, Sean Tickle, Cyber Services Director at Littlefish stated, “This zero-day isn’t just another patch-and-forget moment—it’s a wake-up call for every organisation still resisting the benefits of cloud environment and a sense check for our more data security on premises focused clients.  

At Littlefish and Storm, we’re seeing firsthand how attackers exploit even the smallest gaps in visibility and privilege management. Businesses must act decisively: apply the Principle of Least Privilege, strengthen detection capabilities, and rethink their reliance on unsupported or high maintenance platforms. Cyber resilience isn’t built overnight, but ignoring this threat could mean handing over the keys to your kingdom.” 

Need help assessing the risk or planning a migration? Get in touch today to speak with one of our SharePoint security specialists. 

Conall O'Kane, Practice Manager - Modern Workplace Jul 29, 2025