The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert warning of ongoing exploitation of a newly discovered Microsoft SharePoint vulnerability that allows attackers to gain unauthorized access to on-premise servers.
According to the alert, the flaw enables unauthenticated actors to fully infiltrate SharePoint environments—granting access to file systems, internal configurations, and even the ability to execute code remotely across networks.
The FBI confirmed its involvement, stating: “The FBI is aware of the matter, and we are working closely with our federal and private sector partners.”
Microsoft acknowledged the threat in a customer guidance post on Saturday, noting that the vulnerability is being actively targeted. The company clarified that the issue only affects on-premise SharePoint servers and does not impact SharePoint Online users in Microsoft 365.
“Microsoft has been working in coordination with CISA, the Department of Defense’s Cyber Defense Command, and other key global cybersecurity partners to mitigate the issue,” a company spokesperson said.
CISA identified the vulnerability as CVE-2025-53770—a variant of a previously disclosed flaw (CVE-2025-49706). Acting Executive Assistant Director for Cybersecurity Chris Butera warned that the newly exploited variant “poses a serious risk to organizations still operating on-premise SharePoint servers.”
The agency said it was alerted to the breach by a trusted partner and immediately contacted Microsoft to coordinate a response. Efforts are now underway to notify potentially impacted organizations and share mitigation steps.
Cybersecurity firm Eye Security reported it had detected widespread exploitation of the vulnerability beginning on the evening of July 18. In a blog post, the firm said it had already discovered “dozens of systems actively compromised” around the world.
Meanwhile, threat researchers at Palo Alto Networks’ Unit 42 confirmed that the vulnerability allows unauthenticated users to access restricted SharePoint functionality, making it especially dangerous.
Organizations using on-premise SharePoint are urged to apply Microsoft’s latest security updates immediately and to follow mitigation guidance issued by CISA and other cybersecurity authorities.
