Microsoft has urgently released a security advisory concerning critical zero-day vulnerabilities in on-premises SharePoint Server installations. These vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are currently being actively exploited by malicious actors, posing significant risks to organizations utilizing SharePoint infrastructure.
Overview of the Vulnerabilities
The identified vulnerabilities specifically affect on-premises versions of SharePoint Server, while SharePoint Online, part of Microsoft 365, remains unaffected. Microsoft’s Security Response Center has confirmed active exploitation of these flaws, which were only partially mitigated in the initial July 2025 Security Update. Exploitation of these vulnerabilities can lead to remote code execution, potentially compromising entire SharePoint environments.
Security researchers have observed that successful exploitation often results in the creation of malicious files, such as `spinstall0.aspx`, serving as indicators of compromise. The attack vectors employed are sophisticated, capable of bypassing traditional security controls, thereby necessitating immediate patching to safeguard organizational security.
Security Updates and Mitigation Measures
In response to these threats, Microsoft has released comprehensive security updates:
– SharePoint Server Subscription Edition: Security update KB5002768
– SharePoint Server 2019: Security update KB5002754
Updates for SharePoint Server 2016 are currently under development, leaving these systems temporarily vulnerable.
Microsoft recommends implementing multiple defensive layers immediately:
1. Enable Antimalware Scan Interface (AMSI) in Full Mode: This provides critical protection against unauthenticated attacks.
2. Deploy Microsoft Defender Antivirus on All SharePoint Servers: This creates an essential security barrier.
Additionally, after applying the patches, it is crucial to rotate SharePoint Server ASP.NET machine keys using either the `Update-SPMachineKey` PowerShell cmdlet or the Central Administration interface. Following key rotation, administrators must restart IIS using `iisreset.exe` on all SharePoint servers to complete the remediation process.
Detection and Monitoring
Microsoft has deployed multiple detection mechanisms through its security ecosystem:
– Microsoft Defender Antivirus: Now identifies threats under detection names such as `Exploit:Script/SuspSignoutReq.A` and `Trojan:Win32/HijackSharePointServer.A`, providing real-time protection against known exploitation attempts.
– Microsoft Defender for Endpoint: Generates specific alerts, including Possible web shell installation, Suspicious IIS worker process behavior, and SuspSignoutReq malware was blocked on a SharePoint server.
Security teams can leverage advanced hunting queries to identify potential indicators of compromise across their environment. Organizations are also encouraged to utilize Microsoft Defender Vulnerability Management to assess exposure levels by filtering for the specific CVE identifiers in the Software vulnerabilities section.
Recommendations for Organizations
Given the critical nature of these vulnerabilities and the active exploitation observed, organizations are urged to take the following actions immediately:
1. Apply Security Updates Promptly: Ensure that the latest security updates (KB5002768 for Subscription Edition and KB5002754 for SharePoint 2019) are applied without delay.
2. Enable AMSI and Deploy Defender Antivirus: Configure AMSI in Full Mode and deploy Microsoft Defender Antivirus across all SharePoint servers to enhance protection against unauthenticated attacks.
3. Rotate Machine Keys and Restart IIS: After applying the patches, rotate the SharePoint Server ASP.NET machine keys and restart IIS to complete the remediation process.
4. Monitor for Indicators of Compromise: Utilize Microsoft Defender’s detection capabilities to monitor for potential indicators of compromise and respond accordingly.
By implementing these measures, organizations can mitigate the risks associated with these critical vulnerabilities and protect their SharePoint environments from potential exploitation.
