Critical SharePoint On-Premises Zero-Day Vulnerability (CVE-2025-30556) Under Active Attack — Urgent Steps to Protect Your Systems Now

A critical zero-day vulnerability in Microsoft SharePoint Server on-premises deployments was recently disclosed and is currently being actively exploited in the wild. This flaw, now tracked as CVE-2025-30556, allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full server compromise and lateral movement across an organization’s network.

What Is the Risk?

According to reports from The Hacker News and KrebsOnSecurity, the vulnerability stems from insufficient input validation in SharePoint's web services and can be triggered by specially crafted SOAP requests. Microsoft has confirmed that the flaw impacts SharePoint Server 2016, 2019, and Subscription Edition, particularly in configurations that expose SharePoint to the internet or allow remote service calls internally.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities Catalog and has urged all federal agencies and private sector entities to take immediate action. (CISA Alert)

What Microsoft Has Released

Microsoft has issued out-of-band security updates and mitigation guidance for impacted SharePoint versions. These updates are designed to patch the vulnerable components and include additional telemetry improvements to detect signs of exploitation.

You can find Microsoft’s official guidance here: MSRC Advisory on CVE-2025-30556

What Customers Should Do Immediately

If you're running SharePoint Server on-premises, take the following steps right away:

1. ‍Apply the Patch: Download and install the security updates for your SharePoint version. Microsoft’s advisory includes specific KB articles for SharePoint 2016, 2019, and Subscription Edition. ‍
2. Review Internet Exposure: Evaluate whether your SharePoint services are accessible from the internet. If possible, restrict public access and require VPN or conditional access for remote use. ‍
3. Audit Sign-in and Service Activity: Monitor authentication logs and the SharePoint Unified Logging System (ULS) for signs of suspicious or anomalous activity. Look for unrecognized SOAP requests or new user creations. ‍
4. Enable Endpoint Detection and Response (EDR): Ensure EDR tools are installed on SharePoint servers and configured to alert behavioral anomalies. Microsoft Defender for Endpoint, for instance, can detect post-exploitation activity. ‍
5. Restrict Service Accounts: Verify that SharePoint service accounts have the least privilege necessary and do not have unnecessary local admin rights or domain-level privileges. ‍
6. Test in a Non-Production Environment: As with any update, validate the patch in a test environment before applying it to production systems, especially in environments with custom workflows or third-party integrations.

Identity and Access Governance Tie-In

This is another reminder that perimeter-based security is no longer sufficient. Organizations must implement strong Identity Governance, Role-Based Access Control (RBAC), Privileged Identity Management (PIM), and Privileged Access Management (PAM) for all administrative accounts, including those used by SharePoint.

Even in on-premises environments, consider extending modern identity protection tools (like Microsoft Entra) via hybrid join, Conditional Access, and Defender for Identity and strengthening access governance with PAM tools like CyberArk.

Final Thoughts

Organizations running SharePoint on-premises should treat this vulnerability as critical and act without delay. If your team needs assistance validating patch deployment or reviewing your SharePoint architecture and access policies, MajorKey Technologies can help.

Ask yourself, do you manage your privilege access today? Who certifies them and ensures that there is zero standing privilege?

Contact MajorKey for a rapid review of your SharePoint security posture and guidance on hardening your hybrid infrastructure.

‍