On Sunday, Microsoft released an out-of-band emergency security patch for a critical remote code execution (RCE) vulnerability in its SharePoint Server software. The flaw, tracked as CVE-2025-53770, affects only on-premises (self-hosted) installations of Microsoft SharePoint and is actively being exploited in global cyberattacks. With a CVSS score of 9.8, it is among the most severe vulnerabilities disclosed this year. This was reported by G.Business, citing The Hacker News.
What is the threat
According to Microsoft, the vulnerability enables attackers to execute arbitrary code remotely by exploiting unsafe deserialization in SharePoint’s server logic. As early as July 18, cyberintelligence firms began observing targeted attacks on governments, banks, hospitals, and universities—including entities in Europe.
Once inside, attackers bypass security layers like multi-factor authentication (MFA) and single sign-on (SSO), gain privileged access, and deploy persistent malware, steal cryptographic keys, and access data across connected Microsoft services like Outlook, Teams, OneDrive, and Office 365.
“If your SharePoint instance is exposed to the internet, assume you’ve been compromised,” warns Michael Sikorski, CTO of Palo Alto Networks, in a statement to The Hacker News.
Affected systems
Only on-premise SharePoint servers are vulnerable. SharePoint Online hosted via Microsoft 365 is not affected.
Impacted versions:
| Product | Version |
|---|---|
| SharePoint Server 2019 | 16.0.10417.20027 |
| SharePoint Enterprise Server 2016 | 16.0.5508.1000 |
| SharePoint Server Subscription Edition | – |
| SharePoint Server 2019 Core | – |
Microsoft also disclosed a second flaw: CVE-2025-53771 (CVSS 6.3), a spoofing vulnerability caused by improper path validation (“path traversal”). These issues are linked to previously reported flaws CVE-2025-49704 and CVE-2025-49706, known collectively as the ToolShell attack chain.
What companies must do now
Microsoft strongly advises all customers using on-premises SharePoint to:
- Immediately install the latest security updates
- Use only supported SharePoint versions (2016, 2019, Subscription Edition)
- Enable Antimalware Scan Interface (AMSI) in full mode
- Deploy Microsoft Defender Antivirus or a comparable security solution
- Rotate ASP.NET machine keys used by SharePoint after patching
- Restart IIS services on all SharePoint servers
If AMSI cannot be enabled, key rotation must still take place after patching.
Government response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog and has mandated federal agencies to apply the patch by July 21, 2025.
According to threat intelligence firm Eye Security, at least 54 organizations have already been compromised globally—including European institutions.
Why this matters: A broader security crisis
This flaw has the potential to become one of the most significant cybersecurity incidents of the year. The deep integration of SharePoint with Microsoft’s ecosystem means a single compromised server may expose the entire corporate environment.
“Patching alone is not enough. Full forensic response may be required for affected organizations,” Sikorski emphasized.
Stay connected for news that works — timely, factual, and free from opinion. Learn more about this topic and related developments here: CVE-2025-47812 in Wing FTP Server Allows Root Exploits via Lua Session Injection