On July 20, 2025, Microsoft issued an emergency security update to address a critical vulnerability in its SharePoint Server software, identified as CVE-2025-53770. This flaw, with a CVSS score of 9.8, allows remote code execution due to the deserialization of untrusted data in on-premises versions of SharePoint Server. The vulnerability has been actively exploited in the wild, prompting immediate action from Microsoft to protect its users.
Understanding the Vulnerability
CVE-2025-53770 is a severe security flaw that arises when SharePoint Server improperly processes serialized data. Deserialization involves converting data into a format that can be easily stored or transmitted. However, if this process is not securely handled, it can be exploited by attackers to execute arbitrary code on the server, potentially leading to unauthorized access, data theft, or further network compromise.
Active Exploitation and Immediate Response
Microsoft acknowledged that this vulnerability has been actively exploited, with attackers targeting on-premises SharePoint Server customers. The company emphasized the urgency of applying the security update to mitigate potential risks. In addition to CVE-2025-53770, Microsoft disclosed another related vulnerability, CVE-2025-53771, a spoofing flaw with a CVSS score of 6.3. Both vulnerabilities are connected to previously identified issues, CVE-2025-49704 and CVE-2025-49706, which were addressed in the July 2025 Patch Tuesday update.
Mitigation Measures and Recommendations
To protect against these vulnerabilities, Microsoft recommends the following actions:
1. Apply Security Updates: Ensure that the latest security patches are applied to all on-premises SharePoint Servers.
2. Enable Antimalware Scan Interface (AMSI): Activate AMSI in Full Mode to enhance protection against malicious activities.
3. Deploy Advanced Threat Protection: Utilize Microsoft Defender for Endpoint or equivalent security solutions to detect and respond to threats.
4. Rotate ASP.NET Machine Keys: After applying the updates, rotate the SharePoint Server ASP.NET machine keys and restart IIS on all SharePoint servers to ensure the changes take effect.
Broader Implications and Industry Response
The exploitation of CVE-2025-53770 underscores the persistent threats facing organizations using on-premises software solutions. Cybersecurity firm Eye Security reported that at least 54 organizations have been compromised through this vulnerability, highlighting the widespread impact and the importance of prompt patching.
This incident is part of a broader trend of increasing zero-day vulnerabilities being exploited in the wild. For instance, in March 2025, Microsoft addressed six actively exploited zero-day vulnerabilities, including issues in the Windows Win32 Kernel Subsystem and the Fast FAT File System Driver. These vulnerabilities allowed attackers to elevate privileges and execute arbitrary code, emphasizing the critical need for organizations to stay vigilant and proactive in their cybersecurity measures.
Conclusion
The release of this urgent patch by Microsoft serves as a critical reminder of the evolving cybersecurity landscape and the necessity for organizations to maintain up-to-date systems. By promptly applying security updates, enabling advanced threat protection features, and following best practices for system security, organizations can significantly reduce their risk of exploitation and safeguard their sensitive data against emerging threats.
