Microsoft Patches Exploited SharePoint Zero-Day Among 161 Vulnerabilities

Executive Summary

Microsoft's April 2025 Patch Tuesday release addresses 161 newly disclosed Common Vulnerabilities and Exposures (CVEs), marking one of the largest monthly security updates in the company's history. The most critical finding is an actively exploited zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-27088, which allows remote code execution. A separate critical remote code execution flaw in Windows DNS Server, CVE-2025-27080, also demands immediate attention due to its high potential for wormable exploitation. While Microsoft has not attributed the SharePoint exploitation to a specific threat actor, the in-the-wild abuse elevates the urgency for administrators to apply these patches.

Technical Analysis

The security update bundle resolves vulnerabilities across a wide range of Microsoft products, including Windows, Office, Azure, SQL Server, and developer tools. The two most severe flaws are distinct in their nature and attack surface.

CVE-2025-27088 is an elevation of privilege vulnerability within Microsoft SharePoint Server. According to Microsoft's advisory, an attacker who successfully exploits this flaw could execute arbitrary code in the context of the SharePoint Server process. The vulnerability has been confirmed as exploited in limited, targeted attacks prior to the release of the patch. Technical details regarding the specific attack vector remain undisclosed to prevent further abuse while organizations deploy the fix.

CVE-2025-27080 is a critical remote code execution vulnerability in the Windows DNS Server. With a CVSS score of 9.8, it is considered wormable, meaning a successful exploit could enable malware to propagate between vulnerable servers without user interaction. An unauthenticated attacker could send a specially crafted malicious packet to a Windows DNS server to trigger the flaw and gain full control of the system. This vulnerability poses a significant risk to enterprise networks and internet infrastructure.

Of the 161 total CVEs, 5 are rated Critical, 154 are rated Important, and 2 are rated Moderate in severity.

Tactics, Techniques & Procedures

The exploitation of CVE-2025-27088 prior to patch availability indicates a tactic of Exploitation for Privilege Escalation (T1068). Attackers likely combined this vulnerability with initial access techniques, such as phishing or credential theft, to compromise a low-privileged account before leveraging the SharePoint flaw to achieve higher-level execution. The existence of CVE-2025-27080 presents a clear technique for Exploitation of Remote Services (T1210), where an attacker could directly target a network service without requiring any user interaction or authentication.

Threat Actor Context

Microsoft has not publicly attributed the exploitation of the SharePoint zero-day (CVE-2025-27088) to a known threat group or nation-state. The company described the attacks as "limited and targeted," a phrasing often associated with espionage or financially motivated campaigns against specific organizations. The lack of a public attribution suggests the investigation is ongoing or that Microsoft is withholding details for operational security reasons.

Mitigations & Recommendations

Administrators must prioritize applying the April 2025 Patch Tuesday updates. The following order is recommended based on active exploitation and potential impact:

1. Immediate Patching: Apply the security update for CVE-2025-27088 to all Microsoft SharePoint Server instances. Apply the update for CVE-2025-27080 to all Windows DNS Servers.
2. Network Segmentation: Ensure SharePoint servers and DNS servers are placed on segmented network zones with strict inbound and outbound firewall rules to limit lateral movement and external attack surface.
3. Principle of Least Privilege: Review and harden service accounts and user permissions associated with SharePoint applications to limit the impact of a potential privilege escalation.
4. Monitoring: Implement enhanced logging and monitoring for process creation and network connections on critical servers, with alerts for known exploitation patterns as they become available from security vendors.
5. Comprehensive Update: Deploy the full suite of April 2025 patches across all Microsoft products in the environment, as many other vulnerabilities patched this month could be leveraged in later-stage attacks.