A critical zero-day vulnerability in Microsoft SharePoint Server on-premises deployments was recently disclosed and is currently being actively exploited in the wild. This flaw, now tracked as CVE-2025-30556, allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full server compromise and lateral movement across an organization’s network.
According to reports from The Hacker News and KrebsOnSecurity, the vulnerability stems from insufficient input validation in SharePoint's web services and can be triggered by specially crafted SOAP requests. Microsoft has confirmed that the flaw impacts SharePoint Server 2016, 2019, and Subscription Edition, particularly in configurations that expose SharePoint to the internet or allow remote service calls internally.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities Catalog and has urged all federal agencies and private sector entities to take immediate action. (CISA Alert)
Microsoft has issued out-of-band security updates and mitigation guidance for impacted SharePoint versions. These updates are designed to patch the vulnerable components and include additional telemetry improvements to detect signs of exploitation.
You can find Microsoft’s official guidance here: MSRC Advisory on CVE-2025-30556
If you're running SharePoint Server on-premises, take the following steps right away:
This is another reminder that perimeter-based security is no longer sufficient. Organizations must implement strong Identity Governance, Role-Based Access Control (RBAC), Privileged Identity Management (PIM), and Privileged Access Management (PAM) for all administrative accounts, including those used by SharePoint.
Even in on-premises environments, consider extending modern identity protection tools (like Microsoft Entra) via hybrid join, Conditional Access, and Defender for Identity and strengthening access governance with PAM tools like CyberArk.
Organizations running SharePoint on-premises should treat this vulnerability as critical and act without delay. If your team needs assistance validating patch deployment or reviewing your SharePoint architecture and access policies, MajorKey Technologies can help.
Ask yourself, do you manage your privilege access today? Who certifies them and ensures that there is zero standing privilege?
Contact MajorKey for a rapid review of your SharePoint security posture and guidance on hardening your hybrid infrastructure.
Principal Architect
Based out of the New York Metro/Northeast Region, Frank has 25+ years in the IT industry. Frank provides strategic architecture and consulting to organizations looking to improve security and achieve Zero Trust in their environments. His extensive experience in identity and access management, governance, compliance, and risk management allow him to understand a client’s business needs and how to properly implement the right technology to solve specific identity challenges.