
Microsoft has recently issued an urgent alert regarding active cyberattacks targeting on-premises SharePoint servers, a critical platform for document sharing and collaboration within organizations. These attacks exploit a previously unknown "zero-day" vulnerability, designated as CVE-2025-53770, which allows unauthorized attackers to execute arbitrary code remotely. The severity of this flaw is underscored by its high Common Vulnerability Scoring System (CVSS) score of 9.8, indicating a critical risk level.
Scope and Impact
The vulnerability specifically affects on-premises versions of SharePoint Server, including:
- Microsoft SharePoint Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
The exploitation of this flaw has been observed in attacks targeting a diverse range of entities, including U.S. federal and state agencies, universities, energy companies, and international organizations. Reports indicate that tens of thousands of servers are potentially at risk, highlighting the widespread nature of the threat.
Technical Details
CVE-2025-53770 is a variant of a previously identified vulnerability, CVE-2025-49706. The flaw arises from the deserialization of untrusted data within SharePoint Server, enabling unauthenticated remote code execution without user interaction. This means that attackers can execute arbitrary commands on the affected servers, potentially leading to data theft, system compromise, and further network infiltration.
Mitigation Measures
In response to the active exploitation of this vulnerability, Microsoft has provided several recommendations to mitigate the risk:
- Enable AMSI Integration: Configure the Antimalware Scan Interface (AMSI) integration in SharePoint. AMSI provides real-time scanning and blocking of malicious scripts and payloads.
- Deploy Defender Antivirus: Ensure that Microsoft Defender Antivirus is deployed on all SharePoint servers to detect and prevent malicious activities.
- Disconnect from the Internet: If enabling AMSI is not feasible, consider disconnecting the SharePoint server from the internet until a security update is available.
- Implement Defender for Endpoint: Deploy Microsoft Defender for Endpoint to detect and block post-exploitation activities, providing an additional layer of security.
Detection and Response
Organizations should be vigilant for indicators of compromise associated with this vulnerability. Microsoft Defender Antivirus provides detection and protection under the following detection names:
- Exploit:Script/SuspSignoutReq.A
- Trojan:Win32/HijackSharePointServer.A
- Possible web shell installation
- Possible exploitation of SharePoint server vulnerabilities
- Suspicious IIS worker process behavior
- 'SuspSignoutReq' malware was blocked on a SharePoint server
- 'HijackSharePointServer' malware was blocked on a SharePoint server
Broader Implications
This incident underscores the persistent and evolving nature of cyber threats targeting critical infrastructure. The exploitation of zero-day vulnerabilities in widely used platforms like SharePoint highlights the importance of proactive security measures, timely patching, and continuous monitoring.
The involvement of entities such as the FBI, CISA, and international cybersecurity agencies in investigating and mitigating this threat reflects the global significance and potential impact of such vulnerabilities.
Conclusion
Organizations utilizing on-premises SharePoint servers must act swiftly to implement the recommended mitigations and monitor for signs of compromise. Staying informed through official channels and applying security updates as they become available are crucial steps in safeguarding against this and future threats.
Source: GMA Network Microsoft alerts businesses, governments to server software attack