Microsoft SharePoint vulnerability

🚨 Overview: What Happened?

• On July 19–21, 2025, Microsoft confirmed that a critical zero-day vulnerability—tracked as CVE‑2025‑53770—was being actively exploited in the wild. The attack targeted on‑premises SharePoint Server installations, including versions 2016, 2019, and Subscription Edition. SharePoint Online (Microsoft 365 cloud) was not affected.Microsoft Learn+15The Washington Post+15Censys+15msrc.microsoft.com
• The vulnerability has allowed attackers to launch spoofing attacks—deceiving users into trusting malicious content by impersonating trusted sources.Reuters
• As of today, at least 75 servers—including those used by U.S. government agencies, large corporations, universities, energy companies, European governments, and Asian telecoms—have seen confirmed breaches.The Washington Post+1The Times of India+1
• Some attackers escalated the breach further by obtaining cryptographic keys, enabling persistent re-entry even after patch deployment.The Times of India+3The Washington Post+3Reddit+3

Technical Details & Impact

• CVE‑2025‑53770 is a variant of CVE‑2025‑49706, allowing authorized attackers to spoof network requests and exploit vulnerabilities without filtering.msrc.microsoft.com
• The attack method enables unauthorized file manipulation, document tampering or deletion, and unauthorized persistence—especially critical in sector-wide incident like in Spain or U.S. states.The Washington PostThe Times of India
• With tens of thousands of on-prem SharePoint servers globally still unpatched, the potential impact remains vast.Microsoft Support+15Reuters+15The Washington Post+15

Microsoft’s Guidance & Defense Tactics

• Microsoft has not yet released a full patch for all affected versions, but states that one version is now patched, while two others remain vulnerable. Joining investigators like the FBI and CISA, Microsoft is working to rapidly roll out fixes.The Washington Post
• Until patches are available, Microsoft strongly recommends:
• Enabling AMSI (Antimalware Scan Interface) integration on SharePoint (default since September 2023 update for 2016/2019, and since 23H2 for Subscription Edition).
• Deploying Microsoft Defender Antivirus and Defender for Endpoint on SharePoint servers. These tools include detections labeled:
• Exploit:Script/SuspSignoutReq.A
• Trojan:Win32/HijackSharePointServer.A
• Hunting for indicators of compromise—e.g. suspicious files like spinstall0.aspx—using Microsoft 365 Defender advanced hunting queries.SecurityVulnerability.io+2msrc.microsoft.com+2Censys+2
• If AMSI or Defender AV integration is not possible, disconnect vulnerable SharePoint servers from the internet until a security update is installed.msrc.microsoft.com+1Reuters+1

Historical Context: SharePoint Vulnerabilities & Trends

• Earlier SharePoint vulnerabilities include:
• CVE‑2024‑38094, deserialization/RCE impacting on-prem versions (added to CISA’s Known Exploited Vulnerabilities list in October 2024). Attacker needed Site Owner rights; patch released July 2024.Fortinet Community+6Censys+6Reddit+6
• CVE‑2024‑30044, a critical RCE for authenticated site owners—patches released in mid-2024.notcve.org+2Fortinet Community+2Tenable®+2
• Earlier chains like CVE‑2023‑29357 (elevation of privilege) and CVE‑2023‑24955 (RCE), which were actively exploited in 2023.msrc.microsoft.com+15Tenable®+15Cyber Security Agency of Singapore+15

These past incidents illustrate that SharePoint has been a repeated attack vector—especially when organizations expose servers online without updated patches and proper defensive controls.

Immediate Recommendations for Administrators

✅ Short-Term Measures

🔍 Medium-Term Measures

• Apply official Microsoft patches as soon as they become available across all affected SharePoint versions.
• Rotate cryptographic keys and review access credentials, especially if server compromise is confirmed.
• Audit server logs and abnormal activity, isolate and investigate any suspicious behavior.

🛡️ Long-Term Hardening

• Restrict public exposure: SharePoint servers should ideally operate behind VPN or within Zero Trust/ZTNA environments.
• Use Web Application Firewalls (WAFs), such as FortiWeb, to help protect against deserialization and RCE vulnerabilities—used for past SharePoint flaws.The Washington PostFortinet Community
• Enforce least privilege: Minimize the number of Site Owners and administrator-level roles.
• Subscribe to threat intelligence alerts from Microsoft and cybersecurity agencies for preemptive updates.

Why This Matters So Much

• On‑prem SharePoint is still widely used across public sector agencies, educational institutions, corporations, and infrastructure organizations.
• Attackers gain access to internal documents, communication channels (e.g. Outlook, Teams), and may extract long-lived keys used for lateral movement—raising the bar for recovery after patching.Reddit+2Reddit+2Fortinet Community+2The Washington Post
• The breach underscores growing scrutiny around Microsoft’s ability to deliver timely, comprehensive patches—especially as cybersecurity response funding faces cutbacks.The Washington Post

🔚 Key Takeaways

1. CVE‑2025‑53770 is a critical SharePoint zero‑day actively exploited in the wild, affecting on-prem versions only. SharePoint Online is unaffected.
2. Immediate defenses—AMSI, Defender AV/Endpoint, offline isolation—are vital until patches are released.
3. Organizations must patch all affected versions, rotate keys, audit systems, and harden security posture.
4. Past SharePoint vulnerabilities highlight the need for proactive patch management and minimized exposure.

Conclusion

this vulnerability represents a serious threat to any organization still relying on on-prem SharePoint services. Acting now with interim protections and preparing for updates is essential to prevent further breaches.