Microsoft SharePoint under ‘active exploitation,’ Homeland Security’s CISA says

In a recent advisory, the Cybersecurity and Infrastructure Security Agency (CISA) placed Microsoft SharePoint on its “Active Exploitation” list, signaling that nation‑state and criminal actors are now routinely weaponizing vulnerabilities in the collaboration platform to breach federal networks and private‑sector enterprises. The designation follows a pattern of coordinated attacks that leverage publicly disclosed weaknesses, as well as “zero‑day” flaws, to gain persistent access to sensitive data, manipulate workflows, and pivot to broader network compromise.

Why SharePoint Is an Attractive Target

SharePoint powers document management, intranet portals, and workflow automation across hundreds of thousands of organizations. Its deep integration with Microsoft 365, Azure Active Directory, and third‑party add‑ons creates a large attack surface:

• Complex authentication flows: Misconfigurations in OAuth, SAML, or legacy NTLM can be abused for token‑stealing.
• Rich customizations: Client‑side web parts, Power Automate scripts, and third‑party webhooks often run with elevated privileges.
• Legacy support: Older SharePoint farms still in operation may lack recent security patches, exposing known CVEs.

Adversaries exploit these factors to execute drive‑by exploits, credential‑stuffing attacks, and supply‑chain compromises that bypass traditional perimeter defenses.

Recent Exploitation Techniques Highlighted by CISA

CISA’s analysis identifies three primary tactics currently in use:

1. Web‑DAV and REST API abuse: Attackers send crafted HTTP requests that exploit insecure SharePoint REST endpoints, allowing file read/write operations without proper validation.
2. Token‑theft via mis‑issued JWTs: By intercepting or forging JSON Web Tokens (JWTs) issued for SharePoint‑Power Automate flows, malicious actors can impersonate legitimate services and harvest data from connected Azure resources.
3. Exploitation of third‑party add‑ins: Plugins that lack rigorous security vetting become vectors for remote code execution, especially when they expose webhooks that accept unauthenticated payloads.

These techniques enable attackers to maintain “low‑and‑slow” footholds, exfiltrate intellectual property, and laterally move into corporate networks that rely on SharePoint for identity and access management.

Mitigation Guidance for Organizations

CISA urges immediate, layered defensive actions:

• Apply the latest cumulative updates for SharePoint Server and SharePoint Online; prioritize patches that address CVE‑2023‑23397 and CVE‑2024‑xxxx.
• Enforce conditional‑access policies that require multi‑factor authentication for all SharePoint and Power Automate interactions.
• Audit third‑party add‑ins and disable any that lack a verifiable security posture or that are no longer actively maintained.
• Implement strict API throttling and monitor anomalous REST calls using Microsoft Defender for Cloud Apps.
• Conduct regular red‑team exercises that simulate SharePoint‑specific exploits to validate detection and response capabilities.

Looking Ahead

With SharePoint’s role entrenched in both public‑sector mission critical workflows and private‑sector document lifecycles, the “Active Exploitation” label serves as a stark reminder that complacency is no longer an option. CISA’s advisory emphasizes that continuous monitoring, rapid patching, and a zero‑trust architecture are essential to thwart the evolving threat landscape. Organizations that treat SharePoint as a peripheral system rather than a core security asset risk exposure to sophisticated campaigns that could compromise entire enterprise ecosystems.