Microsoft has recently issued an urgent alert regarding active cyberattacks targeting on-premises SharePoint servers, a critical component used by numerous government agencies and businesses for internal document management and collaboration. These attacks exploit a previously unknown "zero-day" vulnerability, now identified as CVE-2025-53770, allowing unauthorized remote code execution on affected servers. (msrc.microsoft.com)
Understanding the Vulnerability
CVE-2025-53770 arises from the deserialization of untrusted data within on-premises versions of Microsoft SharePoint Server. This flaw enables unauthenticated attackers to execute arbitrary code over a network, potentially leading to full system compromise. The vulnerability affects multiple versions of SharePoint Server, including:
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server Subscription Edition
Scope and Impact
The exploitation of this vulnerability has been widespread, with reports indicating that approximately 100 organizations have been compromised. Victims span various sectors, including government agencies, educational institutions, healthcare organizations, and large enterprises. The attacks have been observed globally, with significant impacts in the United States and Germany. (reuters.com)
Security researchers have identified that the attackers employ consistent methods and payloads across different targets, suggesting a coordinated campaign likely orchestrated by a single actor. Some reports attribute the attacks to a China-linked hacking group, though definitive attribution remains under investigation. (axios.com)
Microsoft's Response and Recommendations
In response to these active exploits, Microsoft has released emergency security updates to address the vulnerabilities. Patches have been issued for SharePoint Server Subscription Edition and SharePoint Server 2019. Updates for SharePoint Server 2016 are currently in development. (msrc.microsoft.com)
Microsoft strongly advises organizations to:
- Apply Security Updates Promptly: Install the latest patches to mitigate the vulnerability.
- Enable Antimalware Scan Interface (AMSI) Integration: Configure AMSI in SharePoint and deploy Defender Antivirus on all SharePoint servers to prevent exploitation.
- Deploy Defender for Endpoint: Utilize this tool to detect and block post-exploit activities.
- Rotate Cryptographic Keys: After applying updates, rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers to invalidate any compromised keys. (msrc.microsoft.com)
Broader Implications and Industry Response
The rapid exploitation of CVE-2025-53770 underscores the critical importance of timely vulnerability management and the challenges posed by zero-day exploits. Cybersecurity experts emphasize that patching alone may not be sufficient. Organizations are urged to adopt a comprehensive security posture, including:
- Assume Breach Mentality: Operate under the assumption that systems may already be compromised and take proactive measures accordingly.
- Implement Zero-Trust Security Models: Restrict access based on strict verification processes, minimizing the risk of unauthorized access.
- Enhance Monitoring and Incident Response: Deploy advanced monitoring tools to detect anomalous activities and establish robust incident response protocols.
Conclusion
The exploitation of the CVE-2025-53770 vulnerability in Microsoft SharePoint servers serves as a stark reminder of the evolving cyber threat landscape. Organizations must remain vigilant, promptly apply security updates, and adopt comprehensive security strategies to safeguard their systems against such sophisticated attacks.
Source: Khaleej Times Microsoft alerts businesses, governments of server software attack
