Alston & Bird Privacy, Cyber & Data Strategy Blog

Microsoft Announces Two New On-Premises SharePoint Vulnerabilities

By , and

 

Introduction

On July 19, 2025, Microsoft announced two new vulnerabilities that are actively being exploited (CVE-2025-49704 and CVE-2025-49706) and that relate to on-premises Microsoft SharePoint instances that are exposed to the internet.

CVE-2025-49704 is a remote code execution (RCE) vulnerability, which allows an attacker to run malicious code on a target system. CVE-2025-49706 is a spoofing vulnerability, which allows an attacker to disguise themselves as a known or trusted source in order to have the system perform unintended actions.

What Happened?

According to a blog post published by Microsoft, as of July 22, 2025, Microsoft has observed three Chinese-based threat actors (Linen Typhoon and Violet Typhoon, both known to be nation-state actors, and Storm-2603), exploiting these vulnerabilities. Microsoft indicated in its blog that it believes “with high confidence that threat actors will continue to integrate [these exploits] into their attacks . . ..” Following Microsoft’s announcement, the Cybersecurity & Infrastructure Security Agency (CISA) added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog.

Next Steps

On July 22, 2025 and then again on July 24, 2025, Microsoft provided security updates for all supported versions of Microsoft SharePoint. Microsoft urged all customers using SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016 to apply the security updates immediately to mitigate the vulnerability. Microsoft provided mitigation instructions for organizations, including to:

  • Use supported versions of on-premises SharePoint Server;
  • Apply the latest security updates;
  • Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions;
  • Ensure the Antimalware Scan Interface is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus;
  • Rotate SharePoint Server ASP.NET machine keys;
  • Update intrusion prevention system and web-application firewall (WAF) rules; and
  • Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet.

Organizations should ensure all recommended mitigation steps are taken and continue to closely monitor their on-premises SharePoint for any unauthorized activity.

LinkedIn
Jennifer Everett

About Jennifer Everett

Jennifer Everett focuses on regulatory compliance, enforcement, and transactions in data privacy, cybersecurity, health care, and emerging technologies. Jennifer offers strategic guidance to public and private companies across several sectors, including life sciences and health technology, when navigating state, federal, and international privacy regulations.

[Read Bio]

Avatar photo

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

Avatar photo

About Carson Kuck

Carson draws on his experience supporting federal and state offices to help clients find solutions to their cybersecurity and data privacy matters.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly