In July 2025, Microsoft identified and addressed two critical zero-day vulnerabilities in its on-premises SharePoint Server software, designated as CVE-2025-53770 and CVE-2025-53771. These vulnerabilities have been actively exploited by cyber attackers, compromising numerous organizations worldwide.
Understanding the Vulnerabilities
CVE-2025-53770 is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8. It arises from the deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on affected SharePoint servers. This flaw enables attackers to gain full control over the server, access sensitive data, and potentially move laterally within the network.
CVE-2025-53771, with a CVSS score of 6.3, is a server spoofing vulnerability resulting from improper limitation of a pathname to a restricted directory. Exploitation of this flaw allows attackers to perform spoofing attacks over a network, potentially leading to unauthorized access and data manipulation.
Exploitation and Impact
The exploitation of these vulnerabilities began around July 18, 2025. Attackers have been deploying a malicious ASPX payload known as spinstall0.aspx to extract cryptographic machine keys from SharePoint servers. With these keys, attackers can forge valid ViewState tokens, maintaining persistent access even after the servers are patched. This method effectively bypasses standard security measures, allowing remote command execution as a trusted user.
Eye Security, a Dutch cybersecurity firm, reported that approximately 100 organizations have been compromised, including government agencies, financial institutions, healthcare providers, and industrial firms. The majority of victims are located in the United States and Germany. The U.K.’s National Cyber Security Centre (NCSC) has also identified a limited number of affected entities within the United Kingdom.
Microsoft’s Response and Mitigation Measures
In response to these active exploits, Microsoft released emergency security updates on July 21, 2025, for SharePoint Server Subscription Edition and SharePoint Server 2019. Patches for SharePoint Server 2016 are forthcoming. Administrators are urged to apply these updates immediately to mitigate the risk of exploitation.
Additionally, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender Antivirus on all SharePoint servers. AMSI integration, enabled by default in recent security updates, allows SharePoint to work with antivirus solutions to scan and block malicious scripts and payloads in real-time. If enabling AMSI is not feasible, Microsoft advises disconnecting the server from the internet until a security update is available.
Organizations are also advised to rotate SharePoint Server ASP.NET machine keys after applying the latest security updates or enabling AMSI. This step is crucial to prevent attackers from maintaining access using previously stolen keys. Deploying Microsoft Defender for Endpoint is recommended to detect and block post-exploit activities.
Broader Implications and Recommendations
The rapid exploitation of these vulnerabilities underscores the evolving nature of cyber threats and the importance of proactive security measures. Cybersecurity experts warn that patching alone may not be sufficient, as attackers may have already installed backdoors or extracted sensitive information. A comprehensive security review, including threat hunting and incident response, is essential to identify and remediate any unauthorized access.
Organizations should also consider implementing a zero-trust security model, which assumes that threats could exist both inside and outside the network perimeter. This approach involves continuous verification of user identities and device health, minimizing the risk of unauthorized access.
In conclusion, the active exploitation of CVE-2025-53770 and CVE-2025-53771 highlights the critical need for organizations to stay vigilant, apply security updates promptly, and adopt comprehensive security strategies to protect against emerging threats.
