The European Commission, the EU Agency for Cybersecurity (ENISA), the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU), and the network of the EU CSIRTs, are closely following the active exploitation of vulnerabilities in on-premises SharePoint Servers.
SharePoint is a popular Microsoft platform that allows organisations to store, organise, share, and access information securely from any device. It is used across the globe for centralising document management and collaboration. It is therefore crucial that all organisations, especially entities who fall under the Network and Information Security (NIS) Directive, to assess their potential exposure as soon as possible and respond appropriately.
On July 8, Microsoft disclosed and published updates for CVE-2025-49704 and CVE-2025-49706, two vulnerabilities that, when used in combination, are known as ToolShell. On July 18, active exploitation of a variation of the ToolShell vulnerabilities was detected. Further investigation revealed that threat actors had leveraged two new zero-day vulnerabilities, later identified as CVE-2025-53770 and CVE-2025-53771, which bypassed Microsoft's existing updates for the previous vulnerabilities. These newly discovered vulnerabilities affect on-premises Microsoft SharePoint Servers. They were patched by Microsoft in an emergency security update for SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016. We strongly recommend all organisations using SharePoint on-premise to check guidance provided by the CSIRTs Network members and CERT-EU for the latest assessment and advice.
We advise isolating affected instances immediately at the network level, following your national cybersecurity authority’s or CERT-EU’s instructions to assess for compromise, and updating systems once exploitation has been ruled out, as patching a compromised system may destroy forensic evidence.
The latest advisories published by the CSIRTs Network members can be found in their relevant official communication channels. Organisations may also refer to guidance given by CERT-EU.
As part of their situational awareness effort, ENISA maintains an advisory collection under: https://github.com/enisaeu/CNW/blob/main/advisories/2025/CNW-2025-06_MicrosoftSharePoint.md
European Commission, ENISA and CERT-EU will continue monitoring this threat and engage with relevant stakeholders to contribute to the overall situational awareness at the Union level, as appropriate.
EU Policy
The EU Cyber Resilience Act (CRA) core cybersecurity requirements will apply as of 11 December 2027. This will require manufacturers of hardware and software products to implement security-by-design and ensure security support throughout the lifecycle of such products. This includes the remediation of vulnerabilities without delay. It aims to prevent incidents concerning active exploitation of vulnerabilities and ensure a swift and effective remediation. The Commission is carrying out a wide range of actions to support the CRA implementation, including guidelines, assisting the standardisation process and supporting projects through targeted funding.
Resources for mitigation actions
Microsoft customer guidance: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
For technical background information about the vulnerability and recommendations: https://cert.europa.eu/publications/security-advisories/2025-027/
For guidance on response please refer to the relevant national authority: CSIRTs by Country - Interactive Map
Latest advisories published by CSIRTs network members: https://github.com/enisaeu/CNW/blob/main/advisories/2025/CNW-2025-06_MicrosoftSharePoint.md
Contact
For press questions and interviews, please contact: [email protected].
Content written for: National / EU authorities | Private Sector
