Critical SharePoint Vulnerability CVE-2025-53770: How to Protect Your Organization

In recent days, a significant cybersecurity incident has emerged, targeting Microsoft SharePoint servers worldwide. This attack exploits a newly identified vulnerability, CVE-2025-53770, allowing unauthorized remote code execution on on-premises SharePoint servers. The breach has affected numerous organizations, including government agencies and businesses, prompting urgent responses from cybersecurity authorities and Microsoft.

The Vulnerability: CVE-2025-53770​

CVE-2025-53770 is a remote code execution (RCE) vulnerability in Microsoft SharePoint Server. It is a variant of the previously identified CVE-2025-49706, a spoofing vulnerability patched earlier this month. The flaw allows attackers to execute arbitrary code on affected servers without authentication, leading to potential data theft, system compromise, and further network infiltration. Notably, SharePoint Online, part of Microsoft 365, remains unaffected by this vulnerability.

Scope and Impact​

The exploitation of CVE-2025-53770 has been widespread. According to Eye Security, a Netherlands-based research firm, attackers have compromised over 50 organizations, including an energy firm in a large state and several European government agencies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also acknowledged active exploitation of this vulnerability, emphasizing the risk to organizations globally.
The attacks have led to unauthorized access to sensitive data, password harvesting, and potential lateral movement within affected networks. In some instances, attackers have deployed "wiper" attacks, erasing critical data and disrupting services. Such attacks are particularly alarming due to their destructive nature and the challenges they pose for recovery.

Microsoft's Response​

Microsoft has acknowledged the vulnerability and is actively working on releasing a security update. In the interim, the company has provided guidance to mitigate the risk:

• Enable AMSI Integration: Administrators are advised to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
• Disconnect Affected Servers: For organizations unable to implement AMSI, Microsoft recommends disconnecting vulnerable servers from the internet until a security update is available.

Additionally, Microsoft has released a security update for SharePoint Subscription Edition and is working on updates for the 2016 and 2019 versions. Organizations are urged to apply these updates promptly to mitigate the risk.

Broader Implications​

This incident underscores the persistent targeting of Microsoft products by cyber adversaries. In 2021, a series of cyberattacks exploited zero-day vulnerabilities in Microsoft Exchange Server, affecting thousands of organizations globally. The current SharePoint vulnerability highlights the ongoing challenges in securing widely used enterprise software and the importance of timely patching and robust security practices.

Recommendations for Organizations​

To mitigate the risks associated with CVE-2025-53770, organizations should:

• Apply Security Updates: Regularly monitor and apply security patches released by Microsoft for SharePoint Server.
• Implement AMSI and Defender Antivirus: Enable AMSI integration and deploy Microsoft Defender Antivirus on all SharePoint servers to detect and prevent exploitation attempts.
• Monitor Network Activity: Implement comprehensive logging and monitoring to detect unusual activities, such as unauthorized file uploads or execution of suspicious processes.
• Restrict Internet Exposure: Limit the exposure of SharePoint servers to the internet, especially if they cannot be promptly updated or secured.
• Conduct Regular Security Assessments: Perform periodic security assessments and penetration testing to identify and remediate vulnerabilities proactively.

Conclusion​

The exploitation of CVE-2025-53770 serves as a stark reminder of the evolving cyber threat landscape and the critical need for vigilance in cybersecurity practices. Organizations must prioritize the implementation of security updates, adhere to best practices, and maintain a proactive stance to safeguard their systems against such vulnerabilities.

---

Source: Newsmax https://www.newsmax.com/us/hack-microsoft-sharepoint/2025/07/20/id/1219381/

 

[ChatGPT]

A critical vulnerability in Microsoft SharePoint Server, identified as CVE-2025-53770, has been actively exploited by malicious actors to target government agencies and businesses worldwide. This zero-day flaw allows unauthorized access to on-premises SharePoint servers, enabling attackers to execute arbitrary code and access sensitive information.
Understanding CVE-2025-53770
CVE-2025-53770 is a remote code execution (RCE) vulnerability that affects on-premises installations of Microsoft SharePoint Server. The flaw permits unauthenticated attackers to gain full access to SharePoint content, including file systems and internal configurations, and to execute code over the network. This vulnerability is a variant of the previously identified CVE-2025-49706.
Scope and Impact
The exploitation of this vulnerability has been widespread, affecting various entities, including U.S. federal and state agencies, universities, and businesses. Reports indicate that the servers of at least two U.S. federal agencies were breached using this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the active exploitation of this flaw, emphasizing the significant risk it poses to organizations.
Microsoft's Response and Mitigation Measures
In response to the active attacks, Microsoft has released security updates for SharePoint Server Subscription Edition and SharePoint Server 2019 to mitigate the vulnerability. The company advises customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender Antivirus on all SharePoint servers. For organizations unable to implement these measures, Microsoft recommends disconnecting the affected servers from the internet until a security update is available.
Recommendations for Organizations
Organizations utilizing on-premises SharePoint Server installations should take the following actions:

• Apply Security Updates: Immediately install the security updates provided by Microsoft for SharePoint Server Subscription Edition and SharePoint Server 2019.
• Enable AMSI Integration: Configure AMSI integration in SharePoint to enhance security measures.
• Deploy Defender Antivirus: Ensure that Defender Antivirus is deployed on all SharePoint servers to detect and prevent exploitation attempts.
• Monitor for Indicators of Compromise: Implement comprehensive logging and monitoring to identify any signs of exploitation activity.
• Review CISA Guidance: Refer to CISA's advisory for detailed information on detection, prevention, and advanced threat hunting measures.

Conclusion
The active exploitation of CVE-2025-53770 underscores the critical importance of promptly addressing vulnerabilities in widely used software platforms. Organizations must remain vigilant, apply recommended security updates, and implement robust monitoring to safeguard against such threats.

---

Source: Forbes What To Know About Microsoft SharePoint Hack—Government Agencies And Businesses Targeted