A newly discovered zero-day vulnerability in Microsoft SharePoint Server has been actively exploited by attackers, putting businesses and government agencies worldwide at risk. The flaw, identified as CVE-2025-53770, allows hackers to execute arbitrary code remotely, compromising sensitive data and connected services like Teams and OneDrive.
Understanding the Vulnerability
The vulnerability, rated as critical with a CVSS score of 9.8, affects on-premises versions of SharePoint Server, including SharePoint Server 2019, SharePoint Server Subscription Edition, and SharePoint Server 2016. Attackers have been exploiting this flaw since at least July 18, 2025, to install web shells and steal cryptographic secrets, granting them persistent access to compromised systems.
Key Details of CVE-2025-53770
- CVE Identifier: CVE-2025-53770
- Severity: Critical (CVSS score: 9.8)
- Impact: Remote code execution, unauthorized access to file systems, and connected services.
- Affected Versions: SharePoint Server 2019, SharePoint Server Subscription Edition, SharePoint Server 2016.
Exploitation and Global Impact
The attacks have targeted a wide range of sectors, including government agencies, educational institutions, healthcare providers, and large enterprises. Researchers report that attackers are using the vulnerability to exfiltrate sensitive data and maintain long-term control over compromised servers.
One of the most concerning aspects of this exploit is its ability to bypass authentication, meaning attackers can gain access without requiring user interaction. This makes the vulnerability particularly dangerous for organizations relying on SharePoint for critical operations.
Comparison of Affected SharePoint Versions
| SharePoint Version | Patch Availability | Recommended Action |
|---|---|---|
| SharePoint Server 2019 | Patch released | Apply updates immediately |
| SharePoint Server Subscription Edition | Patch released | Apply updates immediately |
| SharePoint Server 2016 | Patch forthcoming | Enable AMSI or disconnect from the internet |
Mitigation and Protective Measures
Microsoft has issued urgent guidance to help organizations protect their systems from exploitation. Here are the recommended steps:
Immediate Actions
- Apply Security Updates: Microsoft has released patches for SharePoint Server 2019 and SharePoint Server Subscription Edition. Organizations using these versions should install the updates without delay.
- Enable AMSI Integration: Configure the Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus to block exploitation attempts.
- Rotate Cryptographic Materials: After applying updates, rotate SharePoint server ASP.NET machine keys and restart IIS to invalidate any stolen credentials.
Alternative Measures
- Disconnect from the Internet: If enabling AMSI is not feasible, consider disconnecting vulnerable SharePoint servers from the internet until a patch is available.
Detection and Incident Response
Organizations should also take proactive steps to detect and respond to potential breaches:
- Monitor for Indicators of Compromise: Look for unusual file creations, such as ‘spinstall0.aspx’ in SharePoint directories.
- Use Microsoft Defender for Endpoint: This tool can help detect and block post-exploit activity.
- Engage Incident Response Teams: If a breach is suspected, professional incident response services should be contacted immediately to assess and mitigate damage.
Conclusion
The exploitation of CVE-2025-53770 underscores the importance of timely software updates and robust cybersecurity practices. Organizations using affected SharePoint versions must act swiftly to apply patches and implement protective measures to safeguard their data and systems.
For further details, refer to Microsoft’s official advisory on the vulnerability and stay updated with the latest security recommendations.
