The State Service of Special Communications and Information Protection of Ukraine is alerting about the active exploitation of critical vulnerabilities in on-premises versions of Microsoft SharePoint Server. This was reported by the Microsoft security team in a blog post on July 22, 2025. 

Organizations utilizing Microsoft SharePoint must take immediate action, as these attacks could result in complete network compromise and data exfiltration.

What Happened?

Threat actors are actively leveraging vulnerabilities within SharePoint Server. These flaws permit unauthorized system access and remote code execution. The objective of these attacks is to secure initial access to targeted networks. It is crucial to emphasize that these vulnerabilities exclusively affect on-premises versions of SharePoint Server and DO NOT impact SharePoint Online within Microsoft 365.

Why is This Important?

SharePoint servers often store large volumes of sensitive corporate information. Successful exploitation of these vulnerabilities grants malicious actors elevated system privileges, posing substantial risks, such as:

• Confidential Data Exfiltration: This includes gaining access to internal documents, financial information, and the personal data of employees and clients, among others.
• Launchpad for Subsequent Attacks: A compromised server can serve as a pivot point to target other systems within the organization's network.
• Complete Operational Disruption: This could involve the destruction or encryption of data on networked computers, potentially leading to the irreversible loss of critical files and the cessation of business processes.

Recommendations: What to Do Immediately?

CERT-UA, an integral part of the State Service of Special Communications and Information Protection, strongly advises system administrators and cybersecurity professionals to undertake the following actions:

1. Promptly Install Security Updates: This is the paramount step to address the vulnerabilities. Microsoft has already issued the corresponding patches. Verify that your SharePoint servers are updated to the latest version.
2. Verify Systems for Compromise: Do not merely rely on update installation. It is critical to ascertain whether your server was targeted prior to patch deployment. Microsoft has provided Indicators of Compromise (IoCs) to assist in identifying suspicious activity, such as the creation of atypical .aspx files within SharePoint directories or the execution of unusual processes.
3. Enhance Overall SharePoint Server Security: Adhere to best practices for the administration and hardening of server infrastructure.
4. Restrict Internet Access to SharePoint: Do not permit direct internet access to SharePoint unless absolutely indispensable. Should such access be required, it is crucial to position the resource within a demilitarized zone (DMZ).

Source: https://cip.gov.ua/en/news/ssscip-issues-warning-on-premises-sharepoint-servers-under-attack