Microsoft has released emergency security updates for two critical vulnerabilities affecting on-premises SharePoint Server after confirming active exploitation by threat actors.
The most severe flaw, CVE-2025-53770 (CVSS score: 9.8), allows remote code execution by deserializing untrusted data in SharePoint.
Microsoft also patched a related spoofing flaw, CVE-2025-53771 (CVSS score: 6.3), which enables attackers to perform path traversal and spoof content over the network.
In its advisory, Microsoft acknowledged: “We are aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
According to the company, both vulnerabilities are variants of previously reported issues (CVE-2025-49704 and CVE-2025-49706), but this particular update includes more robust protections.
“The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704,” said Microsoft. “The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”
Attackers have reportedly been chaining these vulnerabilities, in what researchers call the ToolShell exploit chain, to gain unauthorized access, exfiltrate sensitive data, and maintain persistence.
Microsoft clarified that these flaws only affect on-premises SharePoint Servers, and SharePoint Online in Microsoft 365 remains unaffected.
The patches apply to the following supported versions:
- Microsoft SharePoint Server 2019 (16.0.10417.20027)
- Microsoft SharePoint Enterprise Server 2016 (16.0.5508.1000)
- Microsoft SharePoint Server Subscription Edition
To mitigate ongoing attacks, Microsoft recommends that customers immediately:
- Upgrade to supported versions.
- Apply the latest security updates.
- Enable the Antimalware Scan Interface (AMSI) in Full Mode with antivirus software.
- Rotate SharePoint Server ASP.NET machine keys and restart IIS.
- Deploy endpoint protection such as Microsoft Defender for Endpoint.
The company warned: “If AMSI cannot be enabled, disconnect the server from the internet and rotate keys after updating.”
Eye Security reported at least 54 organizations, including banks, universities, and government entities, have already been compromised.
Exploitation reportedly began around July 18, 2025, and continues to pose a significant risk to unpatched servers.
Microsoft urged all customers to take immediate action, emphasizing that the updated patches contain stronger safeguards to address the ongoing threat effectively.
Source: TheHackerNews
About Author
