FortiGuard Outbreak Alert: Microsoft SharePoint Zero-day Attack

FortiGuard Labs have observed widespread exploitation attempts on newly discovered zero-day vulnerability chain in on-premises Microsoft SharePoint servers.

Exploitation of the following CVEs has been observed in on-premises Microsoft SharePoint servers:

CVE-2025-49704 is a code injection vulnerability which allows an authorized attacker to execute code over a network.

CVE-2025-49706 is an improper authentication vulnerability which allows an authorized attacker to perform spoofing over a network.

CVE-2025-53770 is a deserialization vulnerability which allows a unauthorized attacker to execute code over a network.

CVE-2025-53771 is a path-traversal vulnerability which allows an authorized attacker to perform spoofing over a network.

CVE-2025-49704 (https://nvd.nist.gov/vuln/detail/CVE-2025-49704)

CVE-2025-49706 (https://nvd.nist.gov/vuln/detail/CVE-2025-49706)

CVE-2025-53770 (https://nvd.nist.gov/vuln/detail/CVE-2025-53770)

CVE-2025-53771 (https://nvd.nist.gov/vuln/detail/CVE-2025-53771)

FortiNDR Cloud v25.3a+

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for "Microsoft SharePoint Zero-day Attack" related activities.

IOC source: https://www.fortiguard.com/outbreak-ioc?tag=Microsoft%20SharePoint%20Zero-day

All IOCs relating to "Microsoft SharePoint Zero-day Attack" have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2063647 -> ET EXPLOIT Microsoft SharePoint ToolPane Authentication Bypass (CVE-2025-49706)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:

https://www.fortiguard.com/outbreak-alert/microsoft-sharepoint-zero-day