Microsoft Addresses Critical Security Flaws in SharePoint
Microsoft recently issued urgent security patches for vulnerabilities in SharePoint, a platform widely used for collaboration and document management. These updates respond to an actively exploited flaw that threatens on-premises SharePoint Server customers and introduces additional measures to fortify the software against potential attacks.
Active Threats Against SharePoint
In an advisory released on July 20, 2025, Microsoft confirmed that it is aware of active attacks targeting on-premises SharePoint Server systems, taking advantage of vulnerabilities that were initially addressed in July’s security update. Notably, CVE-2025-53770, with a CVSS score of 9.8, is a remote code execution vulnerability stemming from the deserialization of untrusted data in Microsoft SharePoint Server. This flaw poses a serious risk as it allows attackers to execute arbitrary code, potentially leading to significant data breaches.
New Spoofing Vulnerability Identified
Additionally, Microsoft disclosed CVE-2025-53771, rated at 6.3 on the CVSS scale. This vulnerability relates to a path traversal issue within SharePoint that allows an authorized attacker to perform spoofing across a network. An anonymous researcher identified and reported the bug, which underscores the ongoing need for vigilant cybersecurity measures within organizations using SharePoint.
Related Vulnerabilities
Microsoft noted that these new vulnerabilities are connected to earlier documented flaws, namely CVE-2025-49704 and CVE-2025-49706. These related issues could potentially be utilized together to exploit systems further. The exploit chain, dubbed ToolShell, was patched during the company’s July Patch Tuesday updates.
The recent security update for CVE-2025-53770 includes stronger protections compared to earlier updates for CVE-2025-49704. Similarly, the update for CVE-2025-53771 offers enhanced safeguards over the previous fix for CVE-2025-49706.
Recommendations for Organizations
To mitigate risks associated with these vulnerabilities, Microsoft recommends that organizations:
- Ensure they are using supported versions of on-premises SharePoint Server, specifically SharePoint Server 2016, 2019, or the Subscription Edition.
- Apply the latest security updates promptly.
- Activate the Antimalware Scan Interface (AMSI) and enable Full Mode for optimal security protection, coupled with an antivirus solution like Microsoft Defender Antivirus.
- Implement Microsoft Defender for Endpoint protection or similar threat detection solutions.
- Regularly rotate SharePoint Server ASP.NET machine keys.
Microsoft emphasized the importance of restarting IIS after applying these updates and advised organizations that if AMSI cannot be enabled, machine keys should be rotated post-update installation.
Ongoing Exploitation and Impact
Reports indicate that at least 54 organizations, including banks, universities, and government entities, have fallen victim to these active exploits. According to Eye Security, active exploitation began around July 18, raising alarm bells across industries.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the critical nature of CVE-2025-53770 by adding it to its Known Exploited Vulnerabilities (KEV) catalog, compelling Federal Civilian Executive Branch agencies to apply corrections by July 21, 2025.
Immediate Action Needed
Palo Alto Networks Unit 42 has labeled these vulnerabilities as part of a "high-impact, ongoing threat campaign," putting various sectors—including government, education, and healthcare—at immediate risk. Their CTO, Michael Sikorski, highlighted that attackers are evading identity controls and gaining privileged access to sensitive systems. Once established within a network, attackers are exfiltrating crucial data, deploying backdoors, and stealing cryptographic keys.
Sikorski warned that organizations with SharePoint on-premises exposed to the internet should assume a compromise has already occurred. Simply applying patches may not be sufficient to eradicate the threat.
Recommendations for Security Measures
Cybersecurity experts strongly advise organizations to take immediate measures, including:
- Applying all available patches and software updates.
- Rotating all cryptographic materials to prevent unauthorized access.
- Engaging in comprehensive incident response efforts to clean up any breaches.
For those who can, a temporary but effective solution might be to disconnect Microsoft SharePoint from the internet until a patch is fully implemented. This action could help mitigate risks until vulnerabilities are adequately addressed.
As this situation evolves, organizations must remain vigilant and proactive in enhancing their cybersecurity posture.
