Microsoft has recently issued a critical security alert concerning active cyberattacks targeting on-premises SharePoint Server installations. These attacks exploit previously unknown vulnerabilities, allowing unauthorized access and posing significant risks to data integrity and system security.
The primary vulnerability, identified as CVE-2025-53770, is a critical remote code execution flaw resulting from the deserialization of untrusted data in on-premises versions of Microsoft SharePoint Server. This flaw enables unauthenticated attackers to execute arbitrary code over a network, potentially leading to full system compromise. The vulnerability has been actively exploited since at least July 18, 2025, affecting numerous organizations globally, including government agencies, educational institutions, and energy companies. (helpnetsecurity.com)
Additionally, Microsoft emphasizes the importance of rotating SharePoint server ASP.NET machine keys and restarting IIS on all SharePoint servers after applying the latest security updates or enabling AMSI. This step is crucial to invalidate any potentially compromised cryptographic keys and prevent unauthorized access. (msrc.microsoft.com)
Cybersecurity experts caution that patching alone may not be sufficient, as attackers may have already established persistent access through backdoors or stolen cryptographic keys. Organizations are advised to conduct thorough incident response activities, including isolating compromised servers, renewing all exposed credentials and secrets, and engaging cybersecurity professionals to assess and mitigate potential breaches. (time.com)
Source: AInvest Microsoft alerts firms to server-software attack - WSJ
Overview of the Vulnerability
The primary vulnerability, identified as CVE-2025-53770, is a critical remote code execution flaw resulting from the deserialization of untrusted data in on-premises versions of Microsoft SharePoint Server. This flaw enables unauthenticated attackers to execute arbitrary code over a network, potentially leading to full system compromise. The vulnerability has been actively exploited since at least July 18, 2025, affecting numerous organizations globally, including government agencies, educational institutions, and energy companies. (helpnetsecurity.com)Scope of the Attack
The attacks primarily target on-premises SharePoint Server versions, including SharePoint Server 2016, 2019, and the Subscription Edition. Notably, SharePoint Online, part of Microsoft 365, remains unaffected. The exploitation campaign, dubbed "ToolShell," has compromised approximately 100 organizations, with victims spanning the United States, Germany, and other countries. The attackers have leveraged this vulnerability to gain unauthorized access, exfiltrate sensitive data, and establish persistent backdoors within affected systems. (reuters.com)Microsoft's Response and Recommendations
In response to these active exploits, Microsoft has released emergency security updates to address the vulnerabilities. The company strongly advises all organizations using on-premises SharePoint Server to apply these updates immediately. For systems where immediate patching is not feasible, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender Antivirus on all SharePoint servers. If enabling AMSI is not an option, disconnecting the server from the internet is advised until a security update is available. (msrc.microsoft.com)Additionally, Microsoft emphasizes the importance of rotating SharePoint server ASP.NET machine keys and restarting IIS on all SharePoint servers after applying the latest security updates or enabling AMSI. This step is crucial to invalidate any potentially compromised cryptographic keys and prevent unauthorized access. (msrc.microsoft.com)
Broader Implications and Industry Response
The rapid exploitation of this vulnerability underscores the evolving nature of cyber threats and the necessity for organizations to maintain robust security postures. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply the necessary patches by July 21, 2025. This directive highlights the severity of the threat and the need for immediate action. (cisa.gov)Cybersecurity experts caution that patching alone may not be sufficient, as attackers may have already established persistent access through backdoors or stolen cryptographic keys. Organizations are advised to conduct thorough incident response activities, including isolating compromised servers, renewing all exposed credentials and secrets, and engaging cybersecurity professionals to assess and mitigate potential breaches. (time.com)
Conclusion
The recent attacks on Microsoft SharePoint Server highlight the critical importance of proactive cybersecurity measures and timely response to emerging threats. Organizations utilizing on-premises SharePoint installations must prioritize the application of security updates, implement recommended mitigations, and remain vigilant against potential exploits. As cyber threats continue to evolve, maintaining a comprehensive and adaptive security strategy is essential to safeguard sensitive data and ensure system integrity.Source: AInvest Microsoft alerts firms to server-software attack - WSJ
