SharePoint, a core Microsoft Office tool for managing shared files and team collaboration, is currently under threat due to two critical zero-day vulnerabilities. These security flaws, classified as Remote Code Execution (RCE) bugs, are actively being exploited, allowing attackers to potentially execute malicious code on compromised servers.
Microsoft has released immediate, out-of-band security patches to address these vulnerabilities for the Microsoft 365 version of SharePoint and the standalone SharePoint 2019 release. Users and administrators are strongly advised to apply these updates without delay to protect their environments.
Notably, the SharePoint 2016 version, which is not subscription-based, remains unpatched for the moment, though a fix is in development.
The vulnerabilities surfaced after the latest Pwn2Own security contest, where previous issues were resolved but new weaknesses were uncovered during further testing. Because RCE vulnerabilities allow attackers to fully control affected systems, their exploitation can lead to severe security incidents, including malware installation and data breaches.
To apply the patches, administrators can use the SharePoint Central Administration web interface or deploy fixes via PowerShell scripts. Microsoft’s official documentation provides step-by-step guidance for both methods, facilitating quick remediation in diverse IT setups.