CVE-2025-53770: SharePoint Zero-Day Exploited in Ongoing Attacks, Patch Released

By /
microsoft sharepoint

Microsoft has released urgent security patches for two critical vulnerabilities in SharePoint Server, one of which is currently being actively exploited in cyberattacks targeting organizations worldwide. The company is urging all users of on-premises SharePoint servers to take immediate action.

The most severe flaw, tracked as CVE-2025-53770, has received a CVSS score of 9.8, indicating a critical risk. This vulnerability allows attackers to remotely execute malicious code by exploiting how SharePoint deserializes untrusted data.

According to Microsoft, this bug is actively being used by threat actors to compromise on-premises SharePoint Server installations, especially in environments that haven’t yet applied the July 2025 Security Update.

Cybersecurity firm Eye Security has confirmed that at least 54 organizations — including banks, universities, and government bodies — have already been compromised, with attacks believed to have started around July 18, 2025.

Alongside CVE-2025-53770, Microsoft also disclosed a second vulnerability, CVE-2025-53771, which carries a CVSS score of 6.3. This is a spoofing flaw related to path traversal issues. It allows a legitimate user to spoof data across the network, potentially misleading other users or systems.

Both flaws are related to two previously reported vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which were addressed in Microsoft’s July Patch Tuesday updates. When combined in a chain, these issues enable attackers to gain full control over vulnerable SharePoint servers.

Microsoft noted that the latest patches provide stronger protections than the previous ones and recommends applying them immediately, even if prior updates were already installed.

It’s important to note that SharePoint Online in Microsoft 365 is not affected by these flaws. Only on-premises installations of SharePoint Server are at risk. The vulnerabilities have been addressed in the following versions:

  • SharePoint Server 2019 – Version 16.0.10417.20027

  • SharePoint Enterprise Server 2016 – Version 16.0.5508.1000

  • SharePoint Server Subscription Edition

  • SharePoint Server 2019 Core

  • SharePoint Server 2016 – Patch details pending

Microsoft and cybersecurity experts strongly recommend the following steps to secure your SharePoint environment:

  1. Apply the Latest Patches: Update to the latest supported version for your on-prem SharePoint server.

  2. Enable AMSI: Activate the Antimalware Scan Interface (AMSI) and configure it to run in Full Mode for better malware detection.

  3. Use Microsoft Defender or Equivalent: Implement Defender Antivirus or another endpoint protection tool.

  4. Deploy Defender for Endpoint: Or a similar EDR solution for enhanced threat monitoring.

  5. Rotate ASP.NET Machine Keys: After patching, immediately rotate your ASP.NET machine keys used by SharePoint.

  6. Restart IIS: Ensure IIS services are restarted on all SharePoint servers after patching.

Microsoft emphasizes that if you can’t enable AMSI, rotating machine keys after installing the new update becomes even more critical.

microsoft

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. All Federal Civilian Executive Branch (FCEB) agencies are required to patch this vulnerability by July 21, 2025.

Cybersecurity analysts at Palo Alto Networks Unit 42 report that the flaw is being actively exploited in a high-impact threat campaign targeting government agencies, schools, healthcare systems, and large enterprises. These attacks are bypassing even advanced defenses like Multi-Factor Authentication (MFA) and Single Sign-On (SSO).

“Once attackers gain access via SharePoint, they often move laterally across the network, compromising platforms like Office, Teams, OneDrive, and Outlook,” said Michael Sikorski, CTO of Unit 42. “They’re exfiltrating sensitive data, installing persistent backdoors, and stealing cryptographic keys.”

Sikorski warns that even after patching, the threat might remain. “If your on-prem SharePoint is connected to the internet, you should assume it’s been compromised. Patching alone may not remove the attacker from your systems,” he said.

For organizations unable to immediately patch or verify their systems, Sikorski suggests a temporary solution: “Unplug your SharePoint server from the internet until it’s fully secured.” This may serve as a short-term mitigation to prevent further exploitation.

  • These vulnerabilities pose severe risks to any organization using on-prem SharePoint.

  • Threat actors are actively exploiting these flaws to gain high-level access to corporate networks.

  • Prompt action — including patching, rotating keys, and enabling AMSI — is essential to prevent further damage.

Cybersecurity professionals agree: this is not a typical patch cycle — it’s a response to a live, targeted attack campaign. If your organization runs SharePoint Server in-house, act now to protect your systems and limit the blast radius of a potential compromise.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : CVE-2025-6558, Google Urgently Fixes Actively Exploited Chrome Zero-Day

1 thought on “CVE-2025-53770: SharePoint Zero-Day Exploited in Ongoing Attacks, Patch Released”

  1. Pingback: Critical Cisco ISE Flaws Exploited in the Wild, Remote Root Access Without Login

Comments are closed.

Scroll to Top