A new zero-day vulnerability, identified as CVE-2025-53770, has been discovered in Microsoft SharePoint Servers, posing significant security risks due to its potential for remote code execution. Microsoft confirmed this development after attackers began exploiting this variant of a previously patched vulnerability, CVE-2025-49706.
CVE-2025-53770 is being actively leveraged to install backdoors on vulnerable on-premises SharePoint Servers, obtaining system security keys and enabling full machine takeover. Currently, no patch is available for this security gap, but Microsoft has recommended steps to mitigate the risk.
Urgent Mitigation Steps
To prevent exploitation, Microsoft advises configuring Antimalware Scan Interface (AMSI) integration within SharePoint and deploying Defender AV on all SharePoint servers. AMSI integration was automatically enabled in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
If enabling AMSI is not feasible, organizations should remove internet access from the SharePoint server and deploy Defender for Endpoint to counteract post-exploit activities.
About CVE-2025-53770
This vulnerability arises from the deserialization of untrusted data in SharePoint, leading to unauthenticated remote code execution without user interaction. It specifically affects on-premises:
– Microsoft SharePoint Server 2019
– Microsoft SharePoint Enterprise Server 2016
– Microsoft SharePoint Server Subscription Edition
Notably, Microsoft SharePoint within Microsoft 365 (SharePoint Online) is not vulnerable.
Exploitation in the Wild
Eye Security, a Dutch security firm, reported active exploitation since at least July 18. Their investigation uncovered a stealthy `spinstall0.aspx` file used to extract cryptographic secrets from the SharePoint server using simple requests, rather than typical web shell commands.
This file accesses internal .NET methods to read the server’s MachineKey configuration, including critical keys necessary for generating valid payloads, turning authenticated requests into remote code execution opportunities.
Eye Security identified numerous compromised servers and began notifying national CERTs and affected organizations across Europe. The Dutch Institute for Vulnerability Disclosure has also identified additional victims.
Recommended Actions
Organizations operating on-premises SharePoint servers should check logs for compromise indicators, especially if AMSI integration and Defender AV deployment occurred post-attack. Eye Security and Palo Alto Networks have provided lists of Indicators of Compromise (IoCs).
If compromise evidence is found, affected servers should be isolated or shut down, and all credentials and system secrets exposed through the malicious ASPX should be renewed. These steps are essential as patching alone does not invalidate the compromised keys, which allow attackers to impersonate users or services.
Organizations may need to engage external incident response experts to thoroughly investigate and contain the breach, especially as attackers can maintain persistence through backdoors or modified components.
Governmental Response
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, instructing all US federal civilian executive branch agencies to identify and mitigate potentially affected systems by July 21.
Microsoft Update
On July 21, Microsoft released updates for SharePoint Server Subscription Edition and SharePoint Server 2019 to address CVE-2025-53770 and CVE-2025-53771. These updates offer stronger protections than previous versions, though CVE-2025-53771 is not actively exploited.
Microsoft has updated its customer guidance documentation with further information and advice.
Subscribe to our breaking news alerts to stay informed on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe at devtechtrend.com.
Note: This article is inspired by content from https://www.helpnetsecurity.com/2025/07/20/microsoft-sharepoint-servers-under-attack-via-zero-day-vulnerability-with-no-patch-cve-2025-53770/. It has been rephrased for originality. Images are credited to the original source.