Alert: Microsoft SharePoint Servers Under Active Exploitation

On July 19 2021 Microsoft disclosed a critical vulnerability impacting Microsoft SharePoint Server 2016, 2019, and Subscription Edition.  This is the actively exploited unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2025-53770 (CVSS 9.8). 

As part of our application security service, RedShield has proactively developed a targeted emergency in-flight security patch for this vulnerability for all impacted versions of SharePoint. If your organization is running vulnerable SharePoint instances, RedShield’s team can assist to protect your systems from compromise. If you think you might be vulnerable please get in touch with us via support@redshield.co and we can assist.

Summary 

CVE-2025-49704 is a code injection vulnerability affecting Microsoft SharePoint Server 2016 and 2019, disclosed and patched in the July 2025 Patch Tuesday. The vulnerability allows an authenticated attacker with Site Owner privileges to inject and execute arbitrary code remotely via crafted payloads submitted to SharePoint web services or API endpoints.

CVE-2025-53770 is an unauthenticated remote code execution entry point, with CVSS score of 9.8 (critical). This vulnerability is an evolution of CVE-2025-49706. In exploits observed so far in the wild, the authentication bypass can be triggered when an attacker sends a specially crafted POST request to the /_layouts/15/ToolPane.aspx endpoint. The attack includes a spoofed HTTP Referer header pointing to /_layouts/SignOut.aspx. This specific Referer appears to trick the SharePoint application into an insecure state where it processes and deserializes user-supplied data without performing the necessary authentication checks, leading directly to unauthenticated remote code execution.

Which System Versions are Vulnerable

Based on the active exploits observed in the wild, the zero-day vulnerability (CVE-2025-53770) impacts on-premises (self-hosted) versions of Microsoft SharePoint Server.

The specific supported versions confirmed to be vulnerable are:

- Microsoft SharePoint Server 2019

- Microsoft SharePoint Server 2016

- Microsoft SharePoint Server Subscription Edition

On July 20 Microsoft released security updates to address this vulnerability for SharePoint Subscription Edition and SharePoint Server 2019 (tracked under CVE-2025-53771).  On July 21 Microsoft released a security update to address this vulnerability for SharePoint Server 2016.

It is important to note that while the primary focus is on these supported versions, Microsoft's vulnerability management tools have flagged older, unsupported versions such as SharePoint Server 2010 and 2013 as being impacted by the vulnerabilities in this exploit chain.

SharePoint Online in Microsoft 365 is not affected by this vulnerability.

Additional Notes on Securing On-Premises SharePoint Server Instances

Because many SharePoint interfaces are file‑upload endpoints, most requests carry multipart binary payloads rather than simple form data. Conventional WAF engines struggle in this context: their body‑inspection limits mean that legitimate uploads exceeding those (often very limited) thresholds are either blocked outright or pass through uninspected. In addition, binary payloads render negative‑signature and character‑matching techniques largely ineffective.

In practice, only a narrow subset of WAF functions remains useful: enforcing allowed HTTP methods, applying DoS and rate‑limiting protections, validating headers, and, where practical, enabling carefully tuned rules on specific non‑upload endpoints or MIME types. Applying a blanket, default WAF configuration across an entire SharePoint farm therefore offers little security benefit and can create significant compatibility issues. 

Effective mitigation requires specialist tuning, continuous monitoring, and an incident‑response plan that can quickly address any break‑fix situations introduced by WAF policy changes.  RedShield’s application security service provides this capability, delivering 24/7  threat protection and vulnerability management, including this new in-flight security patch to address the specific on-premises SharePoint Server vulnerability.