A critical vulnerability (CVE-2025-49704, CVE-2025-49706 CVSS 9.8) in Microsoft SharePoint is now being actively exploited worldwide. Attackers are using it to bypass authentication, drop web shells, and launch ransomware and data theft campaigns.
This is one of the most severe Microsoft flaws of the year and proof-of-concept exploit code is public, and threat actors are scanning for vulnerable servers at scale.
OpenText Cybersecurity is actively monitoring this campaign and helping partners and clients respond with multi-layered protection.
What’s Happening
CVE-2025-2371 is an authentication bypass vulnerability in Microsoft SharePoint. Successful exploitation allows unauthenticated attackers to:
-
Access sensitive SharePoint resources
-
Upload web shells or malicious scripts
-
Execute arbitrary code remotely
Within days of Microsoft’s disclosure in the July Patch Tuesday, attackers began scanning and exploiting vulnerable servers. The vulnerability is now on CISA’s Known Exploited Vulnerabilities (KEV) list, with federal agencies ordered to patch immediately.
Who’s at Risk
This vulnerability impacts:
-
SharePoint Server 2019, 2016, and earlier versions
-
Organizations that have not applied July 2025 security updates
-
Environments where SharePoint is internet-facing
Threat actors are targeting:
-
SMBs with limited patch cycles
-
Healthcare and education sectors
-
Government and critical infrastructure
What Attackers Are Doing
Recent campaigns linked to ransomware affiliates and nation-state actors include:
-
Deploying China Chopper and other web shells for persistent access
-
Establishing new admin accounts to maintain control
-
Lateral movement to other parts of the network
-
Dropping ransomware payloads post-compromise (LockBit affiliates are suspected in some cases)
Indicators of Compromise (IoCs) Tracked by OpenText Solutions
| Type | Example |
|---|---|
| Malicious file | spinstall0.aspx SHA256: 92bb4ddb… |
| Malicious IPs | 107.191.58.76, 104.238.159.149, 96.9.125.147 |
These are already being tracked and blocked within OpenText’s ecosystem and are also highlighted in CISA’s latest alert
How OpenText Protects MSP/MSSP Clients
Endpoint Protection
-
Known malicious hashes tied to the exploit (e.g., spinstall0.aspx) are blocked at the endpoint.
-
Even slightly modified payloads are caught through behavioral analysis and real-time updates.
DNS Protection (powered by BrightCloud)
-
Known malicious IPs and domains tied to the campaign are automatically blocked, stopping C2 communication and data exfiltration attempts.
-
Partners can enforce DNS-level protection across all clients from a single management console.
Managed Detection and Response (MDR)
-
Our SOC is hunting for signs of exploitation to vulnerable SharePoint endpoints and suspicious activity.
-
Confirmed incidents are escalated with actionable remediation guidance.
Proactive Partner Updates
-
Vulnerability alerts and mitigation steps are shared directly through partner channels so MSPs can respond swiftly.
-
Guidance includes patch prioritization, hardening recommendations, and indicators of compromise (IoCs).
What MSPs/MSSPs Should Do Right Now
-
Patch all vulnerable SharePoint servers immediately with Microsoft’s July updates.
-
Verify Webroot EPP and DNS Protection are fully deployed and up to date across client endpoints.
-
Review management consoles for any recent detections tied to this campaign.
-
For MDR customers: No action needed as our SOC is monitoring and will contact you directly if exploitation is detected in your environment.
Why This Matters
With a 9.8 CVSS rating and active exploits, CVE-2025-49706, and CVE-2025-49704, is one of the most severe Microsoft flaws this year. Organizations that delay patching risk becoming a victim.
