Microsoft Issues Critical Alert on SharePoint Server Flaws CVE-2025-53770 and CVE-2025-53771

• What happened: Microsoft warns about "active attacks" exploiting vulnerabilities partially addressed by the July Security Update.
• Impacted assets: The issue impacts on-premises SharePoint Servers, while SharePoint Online in Microsoft 365 is not affected.
• Why it matters: Government agencies and businesses employ this tool to share documents within organizations.

Microsoft has raised a red flag about active attacks exploiting serious vulnerabilities in 2013+ on-premises SharePoint servers. Attackers found a way to exploit the zero-days, identified as CVE-2025-53770 and CVE-2025-53771, after they had been patched recently.  

SharePoint Vulnerability Disclosed  

The vulnerability does not impact Microsoft’s cloud-based SharePoint Online, but organizations relying on on-premises servers are directly at risk, the Microsoft advisory said. 

CVE-2025-53770 is a deserialization flaw that allows unauthenticated remote code execution (RCE), according to Ontinue threat analysis, and has been described as a variant of RCE flaw CVE-2025-49704. 

Attackers chained these two flaws to gain full control of SharePoint servers worldwide, impacting over 54 organizations to date.

Critical Recommendations from Microsoft  

Responding to active exploits, Microsoft has urged organizations to apply updated system patches immediately. The company outlined key measures to mitigate this Microsoft server software attack effectively:

• Apply all the latest security updates
• Use supported versions of on-premises SharePoint Server
• Keep Antimalware Scan Interface (AMSI) turned on and configured correctly
• Deploy solutions like Microsoft Defender for Endpoint protection 
• Rotate SharePoint Server ASP.NET machine keys

SharePoint 2016 patches are not yet available, as Microsoft is still working on them, but fixes for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019 were released via the security advisory for both CVE-2025-53770 and SharePoint Server spoofing flaw CVE-2025-53771. 

Microsoft said these two updates include more robust protections than the update for CVE-2025-49704 and CVE-2025-49706.

Impacted entities could search for indicators of compromise, including “a file created on the vulnerable servers called spinstall0.aspx” (or other file extension), advised Satnam Narang, Sr. Staff Research Engineer at Tenable.

The compromise of SharePoint Servers is currently being investigated by the U.S. government and partners in Canada and Australia, The Washington Post first reported. 

The Washington Post points to attacks against U.S. federal and state agencies, universities, and energy companies, among others, noted Trey Ford, Chief Information Security Officer at Bugcrowd, who added that “this is actively being exploited—threat hunters and intel teams are actively exploring scope. This is a high-priority vulnerability requiring active involvement from leadership supporting simultaneous mitigation and threat hunting efforts.”

When asked what customers can do while waiting for remaining patches for SharePoint Server 2016, which is unpatched, Ford recommended revisiting internet exposure for on-prem services.

“When running your own services 'on prem'—ask if they truly need to be internet exposed, or accessible to untrusted parties. Lowering your attack surface is always wise,” he said. “Hardening, adding recommended endpoint protections like Microsoft’s Antimalware Scan Interface (AMSI), and Defender for these highly integrated services is key.”

Implications for Cybersecurity  

With SharePoint vulnerability exploitation now active, organizations must redouble efforts to secure their infrastructures and follow industry best practices, as the attack surface for this vulnerability includes over 9,000 externally accessible SharePoint servers.

Narang believes that the active abuse will have far-reaching consequences for affected organisations, as “attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey.”

Thomas Richards, Infrastructure Security Practice Director at Black Duck, also warned that “anyone with an externally facing SharePoint on-premise server is at risk regardless of what industry they are part of.” He pointed to the scale of impact, stating, “Researchers have discovered over a hundred organizations impacted by these vulnerabilities.”

“If possible, organizations should restrict access to any externally available vulnerable SharePoint server,” Richards said. “Security teams should also add endpoint protection software to their environments.”