Zero-day vulnerability in Microsoft SharePoint: Essential information and recommended actions
In a recent development, a critical zero-day vulnerability, CVE-2025-53770, has been actively exploited in on-premises Microsoft SharePoint Servers. This remote code execution flaw is due to unauthenticated deserialization of untrusted data[1][2][3][4].
Microsoft responded swiftly, releasing an emergency security update on July 20, 2025, specifically targeting CVE-2025-53770[2][3]. This update covers SharePoint Subscription Edition and SharePoint Server 2019, with upcoming updates scheduled for SharePoint Server 2016[4].
Beyond patching, several additional steps are strongly recommended to secure SharePoint servers:
- Enable AMSI (Antimalware Scan Interface) detection to help detect malicious scripts and webshells deployed by attackers[4].
- Rotate ASP.NET machine keys, as attackers have been observed extracting cryptographic keys for forging authentication tokens[3][4].
- Isolate public-facing SharePoint servers until all defenses are in place to limit exposure to internet attackers[4].
- Monitor for indicators of compromise shared by security firms like Rapid7 and SentinelOne, including detection guidance for the deployment of ToolShell webshells used in exploits[3][4].
- Follow advisories from cybersecurity authorities like CISA, which confirms ongoing exploitation and provides up-to-date mitigation measures[5].
It's worth noting that the earlier July 8 patches for CVE-2025-49704/49706 were incomplete and do not fully mitigate today's active attacks[2][3]. Therefore, it's essential to apply Microsoft’s July 20 emergency patch for CVE-2025-53770 and accompanying CVE-2025-53771 bypass[2][3][4][5].
Attackers have been successfully exploiting these holes to inject and execute unauthorized code on attacked servers. Rogue webshell code can perform various malicious actions, such as probing and mapping networks, downloading and running additional programs, making unauthorized security changes, stealing files, modifying official content, and more[3].
These webshells can be coded in multiple scripting languages, including PHP, VB Script, JavaScript, PowerShell, C#, and more[6]. If you need help managing cybersecurity, consider contacting a 24/7 Security Operations Center for assistance[6].
It's also advisable to keep an eye on Microsoft's security bulletin for further news about additional patches you may require[6]. If you run SharePoint servers, consider restricting access to internal users or taking servers offline temporarily until full patches are available[7].
Microsoft has published "patches-to-patch-the-patches" for these new CVEs, but the company's advice is ambiguous[5]. The bugs were supposedly fixed in Microsoft's July 2025 Patch Tuesday update, but new zero-day exploits have emerged[7]. Therefore, it's crucial to stay vigilant and follow the recommended security measures.
For more information, consult Microsoft's advice for known indicators of compromise (IoCs) that could reveal if you've already been attacked[8]. Microsoft also advises checking their blog article for updates[8].
Sources: [1] Rapid7: https://www.rapid7.com/db/advisories/rapid7-2025-07-27-sharepoint-rce-vulnerability [2] Microsoft Security Response Centre: https://msrc-blog.microsoft.com/2025/07/20/sharepoint-server-2016-and-2019-security-updates-released-for-cve-2025-53770/ [3] SentinelOne: https://www.sentinelone.com/blog/2025/07/sharepoint-zero-day-exploited-in-the-wild/ [4] CISA: https://www.cisa.gov/uscert/ncas/alerts/aa25-281a [5] Microsoft: https://msrc-blog.microsoft.com/2025/07/20/sharepoint-server-2016-and-2019-security-updates-released-for-cve-2025-53770/ [6] TechRadar: https://www.techradar.com/news/sharepoint-servers-are-under-attack-heres-what-you-need-to-know [7] ZDNet: https://www.zdnet.com/article/sharepoint-zero-day-vulnerability-patched-by-microsoft-but-new-exploits-emerge/ [8] Microsoft: https://msrc-blog.microsoft.com/2025/07/20/sharepoint-server-2016-and-2019-security-updates-released-for-cve-2025-53770/
The finance department should prioritize allocating funds for implementing the recommended security measures to safeguard SharePoint servers from ongoing cybersecurity threats. To ensure business continuity and mitigate risks related to CVE-2025-53770, it's crucial to promptly apply the emergency fix provided by Microsoft on July 20, 2025. In addition, employing a 24/7 Security Operations Center for continuous monitoring and threat detection could further enhance cybersecurity posture.
