Critical Vulnerability Discovered in Microsoft SharePoint Server
Overview of the Security Flaw
A significant security vulnerability affecting Microsoft SharePoint Server has been identified, prompting widespread concern within the cybersecurity community. Known as CVE-2025-53770, this zero-day exploit carries a CVSS score of 9.8, marking it as highly critical. This flaw is a variant of a previously reported issue, CVE-2025-49706, which had a CVSS score of 6.3. Microsoft had attempted to address related vulnerabilities in their July 2025 Patch Tuesday updates but now faces a renewed threat.
Nature of the Vulnerability
This vulnerability allows attackers to take advantage of the deserialization of untrusted data in on-premises Microsoft SharePoint Servers. This means that unauthorized individuals could execute code over a network, which poses a significant risk to data security and system integrity. Microsoft has acknowledged the seriousness of this issue in an advisory issued on July 19, 2025.
Ongoing Exploitation Campaign
Reports indicate that there is an "active, large-scale" exploitation campaign targeting this flaw. In a recent alert, Microsoft confirmed that it is aware of attacks on on-premises SharePoint Server customers. Thankfully, SharePoint Online users under Microsoft 365 are not currently affected.
Recommended Actions for Users
In light of the absence of an official patch, Microsoft recommends several immediate steps for users to enhance security. They are encouraged to configure the Antimalware Scan Interface (AMSI) in SharePoint and deploy Defender Antivirus on all SharePoint servers to mitigate potential risks. Notably, AMSI integration has been enabled by default since the September 2023 security update for SharePoint Server 2016/2019.
For users unable to enable AMSI, disconnecting the SharePoint Server from the internet is advised until a security update can be implemented. Additionally, deploying Defender for Endpoint can help in detecting and blocking any post-exploit activity.
Interconnected Vulnerabilities
In recent findings, cybersecurity firms like Eye Security and Palo Alto Networks Unit 42 have alerted users to the interconnected nature of various vulnerabilities, including CVE-2025-49706 and CVE-2025-49704, which has a CVSS score of 8.8. Both vulnerabilities facilitate arbitrary command execution on vulnerable instances and have been linked in a malicious campaign termed ToolShell.
Given that CVE-2025-53770 is considered a variant of CVE-2025-49706, experts believe these attacks may be part of a broader exploitation strategy. The exploits typically involve the delivery of ASPX payloads via PowerShell, allowing attackers to capture the SharePoint server’s critical MachineKey configurations. This includes access to essential credentials like the ValidationKey and DecryptionKey, enabling the perpetrator to maintain persistent access to the server.
Potential Impact and Response
The implications of this vulnerability have prompted major cybersecurity responses. Eye Security’s CTO, Piet Kerkhofs, has stated that the ongoing identification of mass exploitation waves is concerning. They have communicated with nearly 75 organizations that have reported breaches, including several significant corporations and government entities worldwide.
Despite the alarming discoveries, Microsoft has yet to revise its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect the ongoing active exploitation. The situation remains fluid, and further updates from Microsoft are anticipated.
Conclusion
The identification of CVE-2025-53770 as a critical vulnerability in SharePoint Server underscores the ongoing challenges in cybersecurity. As Microsoft works on a solution, users are strongly advised to implement recommended security measures to protect their systems. This situation serves as a reminder of the ever-evolving landscape of cyber threats and the need for vigilance in protecting sensitive data and infrastructures.
