Advisory: Critical SharePoint Server Vulnerability Actively Exploited

21st July 2025 | Advisory Advisory: Critical SharePoint Server Vulnerability Actively Exploited

Date Issued: July 19, 2025
Severity: Critical (CVSS 9.8)
Status: Unpatched
Impacted Product: Microsoft SharePoint Server (on-premises)


What’s Going On?

A critical vulnerability in Microsoft SharePoint Server is being actively exploited in a widespread cyberattack campaign. Tracked as CVE-2025-53770, this flaw allows hackers to take control of SharePoint servers remotely, without needing a password or login.

Even worse, there’s currently no patch available, making this a high-risk situation for any organization running on-premises SharePoint servers.


What’s at Risk?

Attackers are already using this vulnerability to:

  • Run malicious code remotely
  • Steal sensitive files and system settings
  • Move laterally across your network to attack other connected systems (like Teams, Outlook, or OneDrive)
  • Harvest cryptographic keys to impersonate users, even after the system is patched

Security experts warn that compromised servers must rotate all keys and secrets once Microsoft releases a fix.


Technical Details (Simplified)

  • CVE-2025-53770 is a remote code execution flaw caused by unsafe handling of untrusted data inside SharePoint.
  • It’s a more dangerous version of an earlier bug, CVE-2025-49706.
  • No user interaction is required, hackers can exploit it just by reaching the server.
  • It is being used in real-world attacks codenamed ToolShell, where malicious PowerShell scripts plant fake SharePoint requests that trigger full control of the system.


Not Affected:

SharePoint Online (Microsoft 365) is not affected by this vulnerability.


What Should You Do?

Until Microsoft releases a fix, take these urgent steps to protect your organization:

  1. Enable AMSI Integration
    • Antimalware Scan Interface (AMSI) helps detect and block malicious scripts.
    • (Enabled by default for SharePoint Server 2016/2019 and Subscription Edition as of Sept 2023.)
  2. Deploy Microsoft Defender Antivirus
    • Ensure real-time protection is running on all SharePoint servers.
  3. If AMSI Cannot Be Enabled:
    • Disconnect vulnerable servers from the internet to limit exposure.
  4. Watch for Suspicious Activity
    • Use Microsoft Defender for Endpoint to monitor for signs of compromise or lateral movement.
  5. Prepare for Key Rotation
    • If your server is compromised, rotate all cryptographic keys and secrets after patching.


Additional Information

  • CVE-2025-53770 (CVSS 9.8) is related to CVE-2025-49706 and CVE-2025-49704 (CVSS 8.8)
  • Microsoft is working on a patch and will share updates via its Security Response Center.


Final Word:

This is a very serious, ongoing threat. Over 70 organizations, including major companies and government agencies, have already been breached. If your organization runs SharePoint Server on-prem, assume you are a target and take action now.

Do not wait for the patch. Protect your systems today.

 

Sources and Additional Reading:


Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Why Security Culture is Critical — And How CyberHoot Makes It Stick

Why Security Culture is Critical — And How CyberHoot Makes It Stick

In today’s cybersecurity landscape, breaches are rarely caused by a lack of technology. Instead, they stem from...

Read more
Top 10 Emerging AI-Based Threats Every Business Must Prepare For

Top 10 Emerging AI-Based Threats Every Business Must Prepare For

Artificial Intelligence (AI) is transforming productivity and efficiency, but it’s also arming cybercriminals...

Read more
Microsoft Rolling Out Token Protection: Practical Guidance for MSPs

Microsoft Rolling Out Token Protection: Practical Guidance for MSPs

Part 2 of Our Microsoft Entra Security Series In Part 1, we explored how Microsoft’s Token Protection...

Read more