CISA Warns of Microsoft SharePoint server 0-Day RCE Vulnerability Exploited in Wild

CISA has issued an urgent warning about a critical zero-day remote code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that threat actors are actively exploiting in the wild.

The vulnerability, tracked as CVE-2025-53770, poses a significant security risk to organizations running SharePoint infrastructure and has prompted immediate action requirements from federal agencies, as well as recommendations for all affected organizations.

Key Takeaways
1. CVE-2025-53770 allows remote code execution on SharePoint servers and is actively exploited in the wild.
2. CISA requires remediation by July 21, 2025.
3. Enable AMSI/Defender AV on SharePoint servers or disconnect public-facing systems.

Microsoft SharePoint Server 0-Day Vulnerability

The newly discovered vulnerability, CVE-2025-53770, stems from a deserialization of untrusted data flaw within Microsoft SharePoint Server on-premises environments. 

This critical security weakness is classified under Common Weakness Enumeration CWE-502, which specifically addresses the dangerous practice of deserializing untrusted data without proper validation. 

The vulnerability allows unauthorized attackers to execute arbitrary code remotely over a network connection, making it particularly dangerous for organizations with internet-facing SharePoint deployments.

Microsoft SharePoint Server’s deserialization vulnerability represents a fundamental security flaw where the application improperly handles serialized data objects, potentially allowing malicious actors to craft specific payloads that trigger code execution when processed by the vulnerable system. 

This type of vulnerability is especially concerning because it can be exploited remotely without requiring authentication, depending on the specific configuration and exposure of the SharePoint server.

CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, 2025, with an extremely tight remediation deadline of July 21, 2025, indicating the severity and active exploitation of this vulnerability. 

While it remains unknown whether this vulnerability is being leveraged in ransomware campaigns, the rapid timeline for remediation suggests that CISA has observed credible threat activity targeting this specific flaw.

The zero-day nature of this vulnerability means that attackers had access to exploit this flaw before security patches or comprehensive mitigations were available, giving malicious actors a significant advantage. 

Organizations with public-facing SharePoint servers are at the highest risk, as these systems can be directly targeted from the internet without requiring initial network compromise.

In response to the active exploitation, CISA has issued specific mitigation guidance requiring organizations to configure Anti-Malware Scan Interface (AMSI) integration within SharePoint environments and deploy Microsoft Defender Antivirus on all SharePoint servers. 

For organizations unable to implement AMSI integration, CISA recommends the more drastic measure of immediately disconnecting affected public-facing SharePoint products from internet access until official mitigations become available.

Federal agencies must comply with Binding Operational Directive BOD 22-01 guidance for cloud services, while organizations unable to implement adequate mitigations should consider discontinuing use of the affected products until comprehensive security updates are released. 

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now