A critical vulnerability in Microsoft SharePoint has been actively exploited in the wild since at least July 7, 2025, according to research by Check Point. The initial wave of attacks targeted a major, unnamed Western government and escalated rapidly around July 18–19, spreading across the government, telecommunications, and software sectors in North America and Western Europe.
Check Point traced the activity to three IP addresses: 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147. Notably, one of these IPs has previously been linked to attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428).
“This is an urgent and ongoing threat,” said Lotem Finkelstein, Director of Threat Intelligence at Check Point Research. “A critical zero-day in SharePoint on-prem is being exploited globally, putting thousands of organizations at serious risk. Our team has verified dozens of attempted intrusions targeting key sectors since July 7. We strongly advise all organizations to update their systems immediately—this campaign is highly sophisticated and rapidly evolving.”
The attacks are leveraging CVE-2025-53770, a remote code execution vulnerability in SharePoint Server that was recently patched. In many cases, attackers are combining this with CVE-2025-49706, a spoofing flaw patched by Microsoft during its July 2025 Patch Tuesday rollout, to gain initial access and escalate privileges.
Microsoft confirmed that active exploitation is underway against vulnerabilities that were only partially mitigated in the July security update. The company stated that the patches for CVE-2025-53770 and CVE-2025-53771 provide more comprehensive protection than those released for CVE-2025-49704 and CVE-2025-49706. However, CVE-2025-53771 has not yet been observed in active use by attackers.
According to data from Censys, over 9,700 on-premises SharePoint servers are currently online. While it remains unclear how many are vulnerable, the nature of the data hosted on these systems makes them prime targets for cybercriminals. Experts strongly recommend that organizations apply the latest patches without delay, rotate credentials, and restart affected servers to mitigate potential compromise.