Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also released details of another vulnerability that it said has been addressed with “more robust protections.”
The tech giant acknowledged it’s “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
CVE-2025-53770 (CVSS score: 9.8), as the exploited Vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server.
The newly disclosed shortcoming is a spoofing flaw in SharePoint (CVE-2025-53771, CVSS score: 6.3). An anonymous researcher has been credited with discovering and reporting the bug.
“Improper limitation of a pathname to a restricted directory (‘path traversal’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network,” Microsoft said in an advisory released on July 20, 2025.
Microsoft also noted that CVE-2025-53770 and CVE-2025-53771 are related to two other SharePoint vulnerabilities documented by CVE-2025-49704 and CVE-2025-49706, which could be chained to achieve remote code execution. The exploit chain, referred to as ToolShell, was patched as part of the company’s July 2025 Patch Tuesday update.
“The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704,” the Windows maker said. “The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”
It’s worth noting that Microsoft previously characterized CVE-2025-53770 as a variant of CVE-2025-49706. When reached for comment about this discrepancy, a Microsoft spokesperson told The Hacker News that “it is prioritizing getting updates out to customers while also correcting any content inaccuracies as necessary.”
The company also said that the current published content is correct and that the previous inconsistency does not impact the company’s guidance for customers.
Both the identified flaws apply to on-premises SharePoint Servers only, and do not impact SharePoint Online in Microsoft 365. The issues have been addressed in the versions below (for now) –
To mitigate potential attacks, customers are recommended to –
- Use supported versions of on-premises SharePoint Server (SharePoint Server 2016, 2019, and SharePoint Subscription Edition)
- Apply the latest security updates
- Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution such as Defender Antivirus
- Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
- Rotate SharePoint Server ASP.NET machine keys
“After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers,” Microsoft said. “If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.”
The development comes as Eye Security told The Hacker News that at least 54 organizations have been compromised, including banks, universities, and government entities. Active exploitation is said to have commenced around July 18, according to the company.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for its part, added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 21, 2025.
Palo Alto Networks Unit 42, which is also tracking what it described as a “high-impact, ongoing threat campaign,” said government, schools, healthcare, including hospitals, and large enterprise companies are at immediate risk.
“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told The Hacker News. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.
“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat. What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which have all the information valuable to an attacker. A compromise doesn’t stay contained—it opens the door to the entire network.”
The cybersecurity vendor has also classified it as a high-severity, high-urgency threat, urging organizations running on-premises Microsoft SharePoint servers to apply the necessary patches with immediate effect, rotate all cryptographic material, and engage in incident response efforts.
“An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”
(This is a developing story. Please check back for more details.)
Source link