EU authorities issue joint warning on SharePoint vulnerabilities and urge immediate action

On 22 July 2025, the European Commission, ENISA, CERT-EU, and the EU CSIRTs Network released a joint advisory concerning active exploitation of vulnerabilities in Microsoft’s on-premise SharePoint Servers. The affected systems are widely used across public and private sectors for document management and collaboration, making a timely response critical, especially for organisations under the EU’s Network and Information Security (NIS) Directive.

The alert follows the disclosure of two initial vulnerabilities (CVE-2025-49704 and CVE-2025-49706, known as ToolShell) by Microsoft on 8 July. Despite initial patches, threat actors began exploiting a variation of these flaws by 18 July, prompting the discovery of two new zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771), which circumvented earlier fixes. Microsoft issued emergency updates for SharePoint 2016, 2019, and Subscription Edition to address the threat.

EU institutions recommend immediate network isolation of affected systems, forensic assessment prior to patching, and strict adherence to guidance issued by national cybersecurity authorities, CERT-EU, and CSIRTs. Updates and situational awareness resources are also available through ENISA and Microsoft.

This incident underscores the broader goals of the EU Cyber Resilience Act (CRA), which takes effect in December 2027. The CRA mandates security-by-design and timely vulnerability remediation across software and hardware products to reduce systemic cybersecurity risks across the Union.