Advisory: Critical SharePoint Server Vulnerability Actively Exploited

Date Issued: July 19, 2025
Severity: Critical (CVSS 9.8)
Status: Unpatched
Impacted Product: Microsoft SharePoint Server (on-premises)

What’s Going On?

A critical vulnerability in Microsoft SharePoint Server is being actively exploited in a widespread cyberattack campaign. Tracked as CVE-2025-53770, this flaw allows hackers to take control of SharePoint servers remotely, without needing a password or login.

Even worse, there’s currently no patch available, making this a high-risk situation for any organization running on-premises SharePoint servers.

What’s at Risk?

Attackers are already using this vulnerability to:

• Run malicious code remotely
• Steal sensitive files and system settings
• Move laterally across your network to attack other connected systems (like Teams, Outlook, or OneDrive)
• Harvest cryptographic keys to impersonate users, even after the system is patched

Security experts warn that compromised servers must rotate all keys and secrets once Microsoft releases a fix.

Technical Details (Simplified)

• CVE-2025-53770 is a remote code execution flaw caused by unsafe handling of untrusted data inside SharePoint.
• It’s a more dangerous version of an earlier bug, CVE-2025-49706.
• No user interaction is required, hackers can exploit it just by reaching the server.
• It is being used in real-world attacks codenamed ToolShell, where malicious PowerShell scripts plant fake SharePoint requests that trigger full control of the system.

Not Affected:

SharePoint Online (Microsoft 365) is not affected by this vulnerability.

What Should You Do?

Until Microsoft releases a fix, take these urgent steps to protect your organization:

1. Enable AMSI Integration
   • Antimalware Scan Interface (AMSI) helps detect and block malicious scripts.
   • (Enabled by default for SharePoint Server 2016/2019 and Subscription Edition as of Sept 2023.)
2. Deploy Microsoft Defender Antivirus
   • Ensure real-time protection is running on all SharePoint servers.
3. If AMSI Cannot Be Enabled:
   • Disconnect vulnerable servers from the internet to limit exposure.
4. Watch for Suspicious Activity
   • Use Microsoft Defender for Endpoint to monitor for signs of compromise or lateral movement.
5. Prepare for Key Rotation
   • If your server is compromised, rotate all cryptographic keys and secrets after patching.

Additional Information

• CVE-2025-53770 (CVSS 9.8) is related to CVE-2025-49706 and CVE-2025-49704 (CVSS 8.8)
• Microsoft is working on a patch and will share updates via its Security Response Center.

Final Word:

This is a very serious, ongoing threat. Over 70 organizations, including major companies and government agencies, have already been breached. If your organization runs SharePoint Server on-prem, assume you are a target and take action now.

Do not wait for the patch. Protect your systems today.

Sources and Additional Reading:

• Microsoft Security Updates: Microsoft SharePoint Server Remote Code Execution Vulnerability
• Cybersecurity Hub: WARNING❗️Critical Vulnerability In Microsoft SharePoint Server

Secure your business with CyberHoot Today!!!