Advisory: Critical SharePoint Server Vulnerability Actively Exploited

21st July 2025 | Advisory Advisory: Critical SharePoint Server Vulnerability Actively Exploited

Date Issued: July 19, 2025
Severity: Critical (CVSS 9.8)
Status: Unpatched
Impacted Product: Microsoft SharePoint Server (on-premises)


What’s Going On?

A critical vulnerability in Microsoft SharePoint Server is being actively exploited in a widespread cyberattack campaign. Tracked as CVE-2025-53770, this flaw allows hackers to take control of SharePoint servers remotely, without needing a password or login.

Even worse, there’s currently no patch available, making this a high-risk situation for any organization running on-premises SharePoint servers.


What’s at Risk?

Attackers are already using this vulnerability to:

  • Run malicious code remotely
  • Steal sensitive files and system settings
  • Move laterally across your network to attack other connected systems (like Teams, Outlook, or OneDrive)
  • Harvest cryptographic keys to impersonate users, even after the system is patched

Security experts warn that compromised servers must rotate all keys and secrets once Microsoft releases a fix.


Technical Details (Simplified)

  • CVE-2025-53770 is a remote code execution flaw caused by unsafe handling of untrusted data inside SharePoint.
  • It’s a more dangerous version of an earlier bug, CVE-2025-49706.
  • No user interaction is required, hackers can exploit it just by reaching the server.
  • It is being used in real-world attacks codenamed ToolShell, where malicious PowerShell scripts plant fake SharePoint requests that trigger full control of the system.


Not Affected:

SharePoint Online (Microsoft 365) is not affected by this vulnerability.


What Should You Do?

Until Microsoft releases a fix, take these urgent steps to protect your organization:

  1. Enable AMSI Integration
    • Antimalware Scan Interface (AMSI) helps detect and block malicious scripts.
    • (Enabled by default for SharePoint Server 2016/2019 and Subscription Edition as of Sept 2023.)
  2. Deploy Microsoft Defender Antivirus
    • Ensure real-time protection is running on all SharePoint servers.
  3. If AMSI Cannot Be Enabled:
    • Disconnect vulnerable servers from the internet to limit exposure.
  4. Watch for Suspicious Activity
    • Use Microsoft Defender for Endpoint to monitor for signs of compromise or lateral movement.
  5. Prepare for Key Rotation
    • If your server is compromised, rotate all cryptographic keys and secrets after patching.


Additional Information

  • CVE-2025-53770 (CVSS 9.8) is related to CVE-2025-49706 and CVE-2025-49704 (CVSS 8.8)
  • Microsoft is working on a patch and will share updates via its Security Response Center.


Final Word:

This is a very serious, ongoing threat. Over 70 organizations, including major companies and government agencies, have already been breached. If your organization runs SharePoint Server on-prem, assume you are a target and take action now.

Do not wait for the patch. Protect your systems today.

 

Sources and Additional Reading:


Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Automated Vulnerability Scanning and Penetration Testing Boost Cyber Resilience

Automated Vulnerability Scanning and Penetration Testing Boost Cyber Resilience

Vulnerability scanning and it's human led partner penetration testing (aka "pentesting") are excellent and...

Read more
Safe AI Adoption: Five Rules Every Business Must Follow

Safe AI Adoption: Five Rules Every Business Must Follow

Artificial Intelligence (AI) tools are entering our businesses like a new intern with great ideas but no...

Read more
From Fear to Feedback: Report Phishing Channel Works Wonders

From Fear to Feedback: Report Phishing Channel Works Wonders

CyberHoot believes security awareness should feel positive, empowering, and rewarding. Traditional phishing...

Read more