Security Response
@msftsecresponse
We are the Microsoft Security Response Center. To report security vulnerabilities or abuse in Microsoft products, visit http://microsoft.com/en-us/msrc.
At just 13 years old, Dylan Ryan-Zilavy became the youngest security researcher to collaborate with MSRC. What started with Scratch and HTML quickly evolved into submitting impactful vulnerability reports, respectfully challenging scope decisions, and even helping shape MSRC’s…
Microsoft has released security updates for all supported on-premises SharePoint Server versions. Cloud-hosted SharePoint is not affected. We strongly urge customers to apply these updates immediately to protect against active exploitation. Our latest blog also shares insights…
Microsoft is sharing details from ongoing investigations of threat actors exploiting vulnerabilities targeting on-premises SharePoint servers. Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed exploiting the vulnerabilities: msft.it/6015sE1p5
Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should apply these updates immediately to…
Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should apply…
Update on CVE-2025-53770: Microsoft has released a security update for SharePoint Subscription Edition to mitigate active attacks targeting on-premises servers. SharePoint Online is not affected. Customers should apply the update immediately. We are actively working on updates…
Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. We have outlined mitigations and detections in our blog. Our team is working urgently to release…
Calling all MSRC Identity security researchers! We've dropped new domains into scope. Ready, set, go, hack! msft.it/6012sBFuy
Ashish Dhone (@ashketchum_16), security researcher and Microsoft MVR, presented a BlueHat India session on one of the most elusive web security threats: Blind XSS. In his talk, “Breaking into Big Tech: The $50,000+ Blind XSS Bug Hunt,” Ashish walked through: •Advanced…
Security updates for July 2025 are now available! Details are here: msft.it/6018SZEg0 #PatchTuesday #SecurityUpdateGuide
From MS-DOS to Copilot, we’ve come a long way. This year, in honor of Microsoft’s 50th anniversary, MSRC is throwing it back (way back) with a "Microsoft Through the Decades" security researcher celebration during Black Hat. 🗓 August 7, 2025 📍Skyfall Lounge, W Las Vegas This…