The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical zero-day vulnerability in Microsoft SharePoint Server, identified as CVE-2025-53770. This flaw is currently being actively exploited by malicious actors, posing a significant threat to organizations utilizing on-premises SharePoint installations.
Understanding CVE-2025-53770
CVE-2025-53770 is a remote code execution (RCE) vulnerability stemming from the deserialization of untrusted data within Microsoft SharePoint Server. This security weakness allows unauthenticated attackers to execute arbitrary code over a network, potentially leading to full system compromise. The vulnerability affects the following on-premises versions of SharePoint Server:
– Microsoft SharePoint Server Subscription Edition
– Microsoft SharePoint Server 2019
– Microsoft SharePoint Server 2016
Notably, SharePoint Online, as part of Microsoft 365, is not impacted by this vulnerability.
Active Exploitation and Immediate Risks
The zero-day nature of CVE-2025-53770 means that attackers have been exploiting this flaw before any official patches or comprehensive mitigations were available. Organizations with internet-facing SharePoint servers are particularly vulnerable, as these systems can be directly targeted without requiring initial network compromise.
Security researchers have observed that attackers are using this vulnerability to deploy malicious payloads, such as the spinstall0.aspx file, which extracts cryptographic machine keys from SharePoint servers. With these keys, attackers can forge valid ViewState tokens, maintaining persistent access even after servers are patched. This method allows for the execution of arbitrary commands as trusted users, effectively granting full control over the compromised systems.
Eye Security’s scans have revealed that at least dozens of systems have been compromised out of more than 8,000 servers worldwide. Victims span various sectors, including government agencies, telecommunications firms, financial institutions, universities, and energy providers. The attacks are believed to have commenced on July 18, 2025.
CISA’s Response and Recommendations
In response to the active exploitation, CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, 2025, with a remediation deadline of July 21, 2025. This swift action underscores the severity of the threat and the need for immediate mitigation.
CISA recommends the following actions to reduce the risks associated with this RCE vulnerability:
1. Enable AMSI Integration and Deploy Defender Antivirus: Organizations should configure the Anti-Malware Scan Interface (AMSI) integration within SharePoint environments and deploy Microsoft Defender Antivirus on all SharePoint servers. AMSI integration allows SharePoint to work with antivirus solutions like Microsoft Defender to scan and block malicious scripts and payloads in real-time before they’re executed.
2. Disconnect Vulnerable Servers from the Internet: If enabling AMSI is not an option, organizations should immediately disconnect affected public-facing SharePoint servers from internet access until official mitigations are available. This measure helps prevent unauthorized access and potential exploitation.
3. Monitor for Indicators of Compromise (IoCs): Organizations should actively monitor their SharePoint servers for known IoCs associated with this vulnerability. This includes checking for the presence of malicious ASPX files like spinstall0.aspx and unauthorized access to cryptographic machine keys.
4. Rotate Security Keys and Credentials: In the event of a compromise, it’s crucial to rotate all security keys and credentials that could have been exposed. This action invalidates any tokens or access methods that attackers might have established, effectively cutting off their access.
5. Engage Incident Response Services: Given the complexity and potential impact of this vulnerability, organizations are advised to consult expert incident response services if there’s any suspicion of compromise. Professional assistance can help in thoroughly investigating and containing the breach.
Broader Implications and Industry Response
The exploitation of CVE-2025-53770 highlights the persistent threats facing organizations relying on on-premises infrastructure. The ability of attackers to gain unauthorized access and maintain persistence underscores the importance of proactive security measures and timely patching.
Microsoft has acknowledged the vulnerability and is working on developing patches for the affected SharePoint Server versions. In the interim, the company has provided guidance on enabling AMSI integration and deploying Defender Antivirus as immediate mitigations.
The Federal Bureau of Investigation (FBI) is also aware of the attacks and is collaborating with federal and private-sector partners to investigate the incidents. While the exact identity of the attackers remains unknown, the consistent methods observed across multiple attacks suggest a coordinated effort, possibly by a single actor.
Conclusion
The active exploitation of the CVE-2025-53770 vulnerability in Microsoft SharePoint Server serves as a stark reminder of the evolving cyber threat landscape. Organizations must remain vigilant, promptly apply recommended mitigations, and continuously monitor their systems for signs of compromise. By taking these proactive steps, organizations can better protect their critical infrastructure and sensitive data from malicious actors.
