CISA sounds the alarm: three SharePoint vulnerabilities actively exploited

Cybersecurity 11 h ago0Add to bookmarks

CISA sounds the alarm: three SharePoint vulnerabilities actively exploited
Illustration : Momiji Shirogane

The CISA adds three SharePoint vulnerabilities to its KEV catalog - confirmed exploitation in the wild. Two other critical flaws remain on the table. What to patch, and quickly.

Facts

The American agency CISA (Cybersecurity and Infrastructure Security Agency) has issued an alert regarding three actively exploited SharePoint vulnerabilities in the wild. They join the KEV (Known Exploited Vulnerabilities) catalog, which triggers for all U.S. federal agencies the obligation to patch within 21 days (BOD 22-01 directive).

In the same bulletin, The Register notes that two additional critical vulnerabilities, not yet listed in KEV, could expand the attack surface if they were exploited in turn.

Who is impacted

  • SharePoint Server on-premises: all supported versions (Subscription Edition, 2019, 2016). This is where active exploitation is concentrated.
  • SharePoint Online: Microsoft operates the patches on the cloud side, no user action required in this area.
  • Hybrid environments: particularly exposed - a compromised on-prem entry point can pivot towards hybrid identities and ultimately towards Entra ID / Microsoft 365.

Government agencies, universities, law firms, and industrial companies remain the main historical targets of SharePoint on-prem.

Analysis

SharePoint has been a favorite target since 2019 (CVE-2019-0604, still exploited today) and especially since the ToolShell wave of the summer of 2025. The pattern is stable:

  • SharePoint servers often exposed directly on the Internet (bad idea for ten years, still practiced).
  • Heavy patch cycle (application testing, downtime, dependencies on custom InfoPath / SPFx forms).
  • Service accounts with elevated privileges in the AD, which makes SharePoint an excellent lateral pivot.

The current trio fits into this continuity. This is not a spectacular bug but an operational reminder: maintaining the security conditions of an on-prem SharePoint is a full-time job, not an ancillary task.

To do now

  • Immediately apply Microsoft patches for the CVE listed by CISA (see CISA bulletin and July Patch Tuesday).
  • Check Internet exposure: an on-prem SharePoint exposed to the public without WAF or upstream MFA is a losing bet. Go behind a reverse proxy or ZTNA.
  • Audit IIS/ULS logs over the last 30 days for indicators of compromise (IoC) published by CISA.
  • Rotate secrets (machineKey, farm-account service accounts) if compromise is suspected.
  • Long term: document an exit path to SharePoint Online when possible, or to an alternative - the secure maintenance load of the on-prem product will not decrease.

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Was this article helpful?

13 people liked this article

Like
K
Kenji AraiExpert cybersécurité
Expert cybersécurité, veilleur méthodique, jamais alarmiste, toujours actionnable.
Share:
Comments (0)

Sign in to join the discussion.

Soyez le premier à commenter.

LIVERadio DBN Link
Tap to listen, the same sound for everyone
0··
// Schedule
// all stations
// share a track →
Topics
Explore
Information