Microsoft has released emergency security updates to address a critical vulnerability in its on-premises SharePoint Server, warning that the flaw is currently being exploited in the wild. The tech company also disclosed a second, related vulnerability.
CVE-2025-53770 Critical Flaw Enables Remote Code Execution
CVE-2025-53770 is a critical security issue with a CVSS score of 9.8. The flaw stems from unsafe deserialization of untrusted data, which can allow attackers to execute remote code on vulnerable SharePoint servers. It appears that only on-premises installations are prone to the vulnerability, with SharePoint Online remaining unaffected.
This vulnerability is considered a variant of CVE-2025-49706, part of a previously known exploit chain dubbed ToolShell, which Microsoft patched earlier this month.
CVE-2025-53771 Additional Spoofing Vulnerability Disclosed
Alongside the critical issue, Microsoft also revealed a second bug, CVE-2025-53771 with CVSS score of 6.3, which involves a path traversal weakness that could allow authenticated attackers to spoof content on the network. This flaw, too, affects only self-hosted versions of SharePoint and was privately reported by an unnamed security researcher.
Both CVE-2025-53770 and CVE-2025-53771 are linked to previously patched bugs (CVE-2025-49704 and CVE-2025-49706) and have now received more comprehensive updates to mitigate the risk of exploitation.
Scope of the Attacks
Cybersecurity firm Eye Security has confirmed that at least 54 organizations, including banks, universities, and government agencies, have already fallen victim to this ongoing attack campaign. The exploitation activity is believed to have started around July 18, targeting systems exposed to the internet.
CVE-2025-53770 has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is urging all Federal Civilian Executive Branch agencies to apply the necessary patches by July 21.
Why Patching Isn’t Enough
Security experts are emphasizing that applying patches is only one part of the solution. According to Palo Alto Networks’ Unit 42, attackers are bypassing multi-factor authentication (MFA) and single sign-on (SSO) systems to gain privileged access. Once inside, they are exfiltrating data, installing persistent malware, and stealing encryption keys—posing a broader threat to the Microsoft ecosystem.
Unit 42 cautioned that organizations should assume compromise if they are running internet-facing SharePoint servers. Given the deep integration of SharePoint with services like Office, Teams, OneDrive, and Outlook, any breach could grant attackers access to an organization’s most sensitive data.
They also stressed that disconnecting vulnerable SharePoint instances from the internet may be necessary as an immediate defensive measure.
Recommended Actions for Customers
To reduce risk and minimize potential damage, Microsoft advises organizations to take the following steps:
- Update all SharePoint Server 2016, 2019, and Subscription Edition installations
- Apply the latest security updates for SharePoint
- Activate Antimalware Scan Interface (AMSI) and set it to Full Mode
- Utilize Microsoft Defender for Endpoint or another comparable EDR solution
- Rotate ASP.NET machine keys and restart IIS on all SharePoint servers after patching
In cases where AMSI cannot be enabled, Microsoft strongly recommends rotating the machine keys post-update as a crucial step.
Patched Versions
The following versions include the latest protections:
- Microsoft SharePoint Server 2019 (16.0.10417.20027)
- SharePoint Enterprise Server 2016 (16.0.5508.1000)
- SharePoint Server Subscription Edition
- SharePoint Server 2019 Core
- SharePoint Server 2016 (update pending)
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: