High-profile local and global sites alike have fallen victim to a newly-uncovered vulnerability in Microsoft SharePoint.
In South Africa, National Treasury is among the customers affected, while international users like the US nuclear weapons agency have also been targeted.
The Microsoft Security Response Center (MSRC) last week published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability.
These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365.
Microsoft has released new security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. It is urging customers to apply these updates immediately to ensure they are protected.
The security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.
In a blog post, Microsoft says it has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting Internet-facing SharePoint servers.
“In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware,” it writes.
Investigations into other actors also using these exploits are still ongoing; and Microsoft believes threat actors will continue to integrate these vulnerabilities into attacks against unpatched on-premises SharePoint systems.
Microsoft recommends customers use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.