Cyber-criminals Capitalize on Microsoft's Substantial Security Flaw on a Large Scale
A newly discovered vulnerability in Microsoft's SharePoint software, CVE-2025-53770, is currently being exploited by attackers, posing a significant threat to organisations using the local servers for the file-sharing program.
Microsoft has confirmed the issue and released updates to fix the security gap in SharePoint as part of the July 2025 Patch Tuesday. Affected organisations should promptly apply these updates to their on-premises SharePoint Server installations to block active exploitation attempts.
Organisations using unsupported versions of SharePoint Server may not receive these security patches. It is recommended to upgrade to supported versions such as SharePoint Server 2016, SharePoint Server 2019, or SharePoint Subscription Edition.
As an immediate temporary mitigation, organisations should disconnect their SharePoint servers from the internet to prevent remote exploitation while waiting for patches. This reduces exposure to ongoing attack campaigns.
Attackers are exploiting how SharePoint deserializes untrusted data to execute code even before authentication and blend malicious activities with legitimate SharePoint operations. To detect suspicious lateral movements or forged payloads, organisations should deploy deep endpoint monitoring and anomaly detection.
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging affected government entities and companies to act quickly. CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog and urges prioritization of timely remediation to reduce risk.
This vulnerability could lead to potential data breaches and unauthorized future access. It is advisable to assume compromise, meaning companies should act as if they've been targeted, regardless of whether they actually have been. Access to the affected servers potentially enables data theft and password harvesting. Attackers could also steal digital keys for unauthorized future access to computer systems.
The identity of the attackers remains unclear. Last year, suspected Chinese hackers gained access to emails in some US agencies through a vulnerability in Microsoft software. Dozens of organisations, both in the private sector and government, have already been targeted by this new vulnerability.
SharePoint Online in Microsoft 365 is not affected by this vulnerability. Organisations are advised to integrate the patches into a comprehensive vulnerability management program to prevent future exposure to known exploited vulnerabilities. After patch application, conduct thorough security testing of SharePoint environments to verify that the vulnerabilities are effectively mitigated and that no unauthorized access has occurred.
In the US, servers of two federal agencies have been successfully attacked. No details were provided about which agencies were affected. The manager at the security firm Crowdstrike described the vulnerability as "significant".
Organisations are recommended to follow cybersecurity guidance from authorities and validate post-patch security to ensure their data is secure against this high-severity exploit.
- Organizations should promptly apply the provided security updates for SharePoint as part of their vulnerability management program, as the cybersecurity threat posed by CVE-2025-53770 could be minimized by implementing the appropriate technology solutions.
- To protect their servers against future attacks, organizations are advised to practice deep endpoint monitoring and anomaly detection, enabling early detection of suspicious activities and forged payloads related to the exploitation of CVE-2025-53770.
