A critical zero-day vulnerability, designated CVE-2025-53770, has been identified in Microsoft's on-premises SharePoint Server software, leading to active exploitation by cyber attackers. This flaw allows unauthenticated remote code execution, posing significant risks to organizations worldwide.
Scope and Impact
The vulnerability affects on-premises versions of Microsoft SharePoint Server 2016, 2019, and the SharePoint Server Subscription Edition. Notably, SharePoint Online, part of Microsoft 365, remains unaffected. Exploitation of this vulnerability enables attackers to execute arbitrary code, potentially leading to data theft, system compromise, and further network infiltration. Reports indicate that approximately 100 organizations globally have been compromised, with victims spanning government agencies, educational institutions, healthcare providers, and large enterprises. (reuters.com)
Technical Details
CVE-2025-53770 is a variant of the previously identified CVE-2025-49706. The exploit involves deserialization of untrusted data, allowing attackers to execute code over a network without authentication. The attack, dubbed "ToolShell," has been observed installing web shells and exfiltrating cryptographic secrets from victim servers, facilitating persistent unauthorized access. (msrc.microsoft.com)
Mitigation Measures
As of now, Microsoft has not released a patch for CVE-2025-53770. Organizations are advised to implement the following mitigations:
- Enable AMSI Integration: Configure the Antimalware Scan Interface (AMSI) in SharePoint Server to detect and block malicious activity.
- Deploy Defender Antivirus: Install and update Microsoft Defender Antivirus on all SharePoint servers to provide real-time protection.
- Disconnect Affected Servers: If enabling AMSI is not feasible, consider disconnecting the server from the internet until a security update is available.
- Implement Defender for Endpoint: Deploy Microsoft Defender for Endpoint to detect and block post-exploit activities.
spinstall0.aspx in SharePoint directories. (msrc.microsoft.com)Global Response
The UK's National Cyber Security Centre (NCSC) has detected a limited number of UK-based victims and is actively monitoring the situation. Similarly, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts and is collaborating with Microsoft and other partners to address the threat. (reuters.com, cisa.gov)
Recommendations
Organizations utilizing on-premises SharePoint Server should take immediate action to implement the recommended mitigations. Continuous monitoring for unusual activities and prompt incident response are crucial to mitigate potential damages. Staying informed through official channels and applying security updates as they become available will further enhance protection against this evolving threat.
In summary, the exploitation of CVE-2025-53770 underscores the critical importance of proactive cybersecurity measures. Organizations must remain vigilant, implement recommended mitigations, and stay updated on developments to safeguard their systems against such sophisticated attacks.
Source: The Mighty 790 KFGO Britain’s NCSC detects ‘limited number’ of UK victims in Microsoft hack campaign
