Microsoft Released an Emergency Security Update to Patch a Critical SharePoint 0-Day Vulnerability
Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting.
The vulnerabilities, assigned as CVE-2025-53770 and CVE-2025-53771, pose immediate risks to organizations running SharePoint infrastructure and require immediate remediation.
Key Takeaways
1. Active zero-day attacks targeting on-premises SharePoint servers via CVE-2025-53770 and CVE-2025-53771.
2. Apply security updates immediately: KB5002768 (Subscription Edition) or KB5002754 (SharePoint 2019).
3. Microsoft Defender is deployed with threat detection and hunting capabilities.
Zero-Day Vulnerabilities Under Active Exploitation
The security flaws specifically target on-premises SharePoint Server installations, while SharePoint Online in Microsoft 365 remains unaffected.
Microsoft’s Security Response Center confirmed that threat actors are actively exploiting these vulnerabilities, which were only partially addressed in the initial July 2025 Security Update.
The vulnerabilities enable attackers to achieve remote code execution and potentially compromise entire SharePoint environments.
Security researchers have identified that successful exploitation results in the creation of malicious files such as spinstall0.aspx, which serves as an indicator of compromise.
The attack vectors involve sophisticated techniques that bypass traditional security controls, making immediate patching critical for organizational security.
CVE | Title | Affected Products | Severity |
CVE-2025-53770
CVE-2025-53771 |
SharePoint Server Remote Code Execution Vulnerability | SharePoint Server 2016, 2019, Subscription Edition | Critical |
Security Updates
Microsoft has released comprehensive security updates to address these vulnerabilities. For SharePoint Server Subscription Edition, organizations must apply security update KB5002768, while SharePoint Server 2019 requires KB5002754.
SharePoint 2016 updates are still in development, leaving these systems temporarily vulnerable.
The company recommends implementing multiple defensive layers immediately. Organizations must enable the Antimalware Scan Interface (AMSI) in Full Mode, which provides critical protection against unauthenticated attacks.
Additionally, deploying Microsoft Defender Antivirus on all SharePoint servers creates an essential security barrier.
A crucial post-patching step involves rotating SharePoint Server ASP.NET machine keys using either the Update-SPMachineKey PowerShell cmdlet or the Central Administration interface.
After key rotation, administrators must restart IIS using iisreset.exe on all SharePoint servers to complete the remediation process.
Microsoft has deployed multiple detection mechanisms through its security ecosystem. Microsoft Defender Antivirus now identifies threats under detection names Exploit:Script/SuspSignoutReq.A and Trojan:Win32/HijackSharePointServer.A.
These signatures provide real-time protection against known exploitation attempts.
Microsoft Defender for Endpoint generates specific alerts, including “Possible web shell installation,” “Suspicious IIS worker process behavior,” and “SuspSignoutReq malware was blocked on a SharePoint server”.
Security teams can leverage advanced hunting queries to identify potential compromise indicators across their environment.
Organizations can utilize Microsoft Defender Vulnerability Management to assess exposure levels by filtering for the specific CVE identifiers in the Software vulnerabilities section.
The unified advanced hunting query DeviceTvmSoftwareVulnerabilities | where CveId in (“CVE-2025-49706″,”CVE-2025-53770”) enables comprehensive vulnerability tracking across enterprise environments.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link