Critical Vulnerabilities in Microsoft SharePoint Server Under Zero-Day Exploitation
CVE-2025-53770 and CVE-2025-53771 could allow a remote unauthenticated attacker to execute arbitrary code and disclose sensitive information
Summary
CVE-2025-53770 and CVE-2025-53771 could allow a remote unauthenticated attacker to execute arbitrary code and disclose sensitive information
Affected platforms
The following platforms are known to be affected:
Threat details
Unsupported versions are vulnerable
SharePoint Server 2010 and SharePoint Server 2013 are end-of-support and no longer receive security updates. Organisations must upgrade to a supported version of SharePoint Server.
Active exploitation of CVE-2025-53770 and CVE-2025-53771
Microsoft has reported that CVE-2025-53770 and CVE-2025-53771 are under active exploitation via an attack chain dubbed "ToolShell".
The NHS England National CSOC has observed active exploitation attempts, and are aware of reports of multiple clusters of exploitation activity. The National CSOC assesses further immediate exploitation as highly likely.
Organisations with instances of Microsoft SharePoint Server Subscription Edition (SE), Server 2019 or Enterprise Server 2016 that were internet accessible on or after 17 July 2025 should assume compromise and follow Microsoft's guidance on detecting potential exploitation activity.
Introduction
Microsoft has released out-of-band security updates to address one critical severity vulnerability (CVE-2025-53770) and one medium severity vulnerability (CVE-2025-53771) in Microsoft SharePoint Server on-premises installations. Microsoft has observed exploitation of both vulnerabilities in the wild.
Vulnerability details
- CVE-2025-53770 is a "deserialisation of untrusted data" vulnerability with a CVSSv3 score of 9.8. Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary code on the SharePoint Server. CVE-2025-53770 addresses a partial fix for CVE-2025-49704 released in Microsoft's July 2025 scheduled security updates.
- CVE-2025-53771 is a "path traversal", "improper neutralisation", and "improper input validation" vulnerability with a CVSSv3 score of 6.3. Successful exploitation could allow an authenticated attacker to perform spoofing, potentially allowing the attacker to view or modify sensitive data such as session tokens and files stored on the SharePoint Server. CVE-2025-53771 addresses a partial fix for CVE-2025-49706 released in Microsoft's July 2025 scheduled security updates.
Threat updates
| Date | Update |
|---|---|
| 22 Jul 2025 |
SharePoint Enterprise Server 2016 security updates added
|
| 21 Jul 2025 | Corrected patched versions for SharePoint Server Subscription Edition and Server 2019 |
Remediation advice
Affected organisations must review Microsoft's Customer guidance for SharePoint vulnerability CVE-2025-53770 blog post, apply the latest security update, ensure the Antimalware Scan Interface (AMSI) is enabled and configured correctly with an appropriate antivirus, and rotate all ASP.NET machine keys.
Note: Security updates for SharePoint Enterprise Server 2016 have now been released by Microsoft. This high severity Cyber Alert has been updated to reflect the new updates.
If organisations cannot patch or enable AMSI with an appropriate antivirus solution, they must disconnect any public-facing SharePoint servers from the internet until patches can be applied and AMSI enabled.
Organisations running end-of-support SharePoint server installations (SharePoint Server 2010 and 2013) must upgrade to a supported version.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Patch Organisations must apply the latest security update for SharePoint Server. Fixed versions
Note: SharePoint Server 2010 and SharePoint Server 2013 are both end-of-support and do not receive security updates. Organisations running SharePoint Server 2010 or SharePoint Server 2013 must upgrade to a supported version. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ |
| Action |
Deploy and configure Antimalware Scan Interface (AMSI) and antivirus Organisations must ensure the AMSI is turned on and configured correctly on all SharePoint servers, with an appropriate antivirus solution (such as Defender Antivirus). Note: If organisations cannot patch or deploy AMSI, they must disconnect all public-facing SharePoint servers from the internet until patches can be applied. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ |
| Action |
Rotate SharePoint Server ASP.NET machine keys After applying the latest security updates and enabling AMSI, organisations must rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ |
| Guidance |
Deploy Microsoft Defender for Endpoint on all SharePoint Server installations Organisations are advised to deploy Microsoft Defender for Endpoint (MDE) on all SharePoint servers. Organisations using another EDR solution as their primary should deploy MDE in passive mode. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 22 July 2025 10:44 am