CISA Issues Alert on Microsoft SharePoint 0-Day RCE Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent security alert regarding a critical zero-day vulnerability in Microsoft SharePoint Server that is being actively exploited in cyberattacks.

The vulnerability, tracked as CVE-2025-53770, represents a significant threat to organizations running on-premises SharePoint installations.

The flaw stems from a deserialization of untrusted data vulnerability within Microsoft SharePoint Server on-premises environments.

This weakness allows unauthorized attackers to execute arbitrary code remotely over a network, potentially giving cybercriminals complete control over affected systems.

The vulnerability is classified under Common Weakness Enumeration (CWE-502), which relates to the unsafe processing of serialized data from untrusted sources.

Immediate Response Required

CISA has designated July 21, 2025, as the critical deadline for organizations to implement protective measures, just one day after the vulnerability was added to the agency’s Known Exploited Vulnerabilities Catalog on July 20, 2025.

This extremely tight timeline underscores the severity of the threat and the active exploitation occurring in the wild.

The agency’s primary recommendation centers on configuring Anti-Malware Scan Interface (AMSI) integration within SharePoint environments and deploying Microsoft Defender Antivirus on all SharePoint servers.

These measures can help detect and prevent malicious code execution attempts targeting the vulnerability.

For organizations unable to enable AMSI integration immediately, CISA has issued more drastic guidance: disconnect all public-facing SharePoint products from internet services until official mitigations become available.

This recommendation highlights the critical nature of the vulnerability and the potential for widespread exploitation.

The vulnerability poses particular risks to organizations with internet-facing SharePoint deployments, which are common in enterprise environments for collaboration and document management.

The deserialization flaw could serve as an entry point for ransomware operators, though CISA has not yet confirmed whether the vulnerability is being used in ransomware campaigns.

Organizations must follow applicable Binding Operational Directive (BOD) 22-01 guidance for cloud services and consider discontinuing product use if adequate mitigations cannot be implemented.

CISA emphasizes that once Microsoft releases official patches or mitigations, organizations should apply them immediately according to both CISA and vendor instructions.

This incident demonstrates the ongoing challenges organizations face with zero-day vulnerabilities in widely deployed enterprise software.

The rapid timeline between discovery and required remediation reflects the sophisticated threat landscape and the need for organizations to maintain robust incident response capabilities.

Security teams should monitor Microsoft’s security advisories closely for official patches and continue implementing CISA’s recommended interim protections to minimize exposure to this critical vulnerability.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now