Hackers relentlessly breach Microsoft SharePoint once more, exploiting critical zero-day vulnerabilities in over 85 servers.
Microsoft has issued security patches for two of its affected SharePoint releases, the SharePoint Server Subscription Edition and SharePoint Server 2019, in response to two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, that have been actively exploited since July 18. However, a patch for SharePoint Server 2016 is still in development.
The tech giant recommends immediate actions for administrators of on-premise SharePoint Servers to mitigate the risks posed by these vulnerabilities until patches are fully applied.
Immediate Actions for Administrators
- Apply Microsoft’s July 2025 security updates immediately. Updates have been released for SharePoint Server Subscription Edition, 2019, and 2016, and must be installed to fully mitigate CVE-2025-53770 and CVE-2025-53771.
- Configure the Antimalware Scan Interface (AMSI) for SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers to help detect malicious payloads.
- If AMSI cannot be enabled and the affected servers are publicly accessible, disconnect those services from the internet until mitigations or patches are applied to reduce exposure risk.
- Rotate the ASP.NET machine keys before and after applying security updates. This helps invalidate previously compromised credentials or sessions exploited during attack attempts.
- Restart the IIS (Internet Information Services) service after patching to ensure updates are fully applied and running.
- Inspect the environment for signs of compromise, especially looking for web shells or malicious DLL payloads, which are difficult to detect but commonly used in these exploits.
- Remove any discovered web shells and other malicious artifacts from the SharePoint environment to fully remediate infections.
- Follow applicable federal cybersecurity guidance (e.g., BOD 22-01 for cloud services) or consider discontinuing the use of vulnerable products if mitigations are not available.
These steps are crucial because patching alone may not suffice if the server has already been compromised, and threat actors have demonstrated the ability to exploit patched servers when additional mitigations are not implemented.
Additional Information
The mitigations can be implemented via PowerShell using the cmdlet or through SharePoint's Central Administration interface. Microsoft has provided guidance for identifying compromised servers, including the presence of the file in the SharePoint layouts directory.
Microsoft is urging admins to apply the newer updates once available, as they include more robust protections than the earlier patches. The identified vulnerabilities are bypasses of the original ToolShell vulnerabilities patched earlier.
For more details on the released security patches, visit Microsoft's blog post. Microsoft has also shared a query on their blog post for Microsoft 365 Defender, essential for forensic investigation and ongoing monitoring.
Mithun Mohandas, an Indian technology journalist with 14 years of experience, covers processors, graphics cards, storage media, displays, and networking devices at our platform. In his free time, Mithun can be seen playing Valorant, World of Tanks, HITMAN, and the occasional Age of Empires. He is also the voice behind hundreds of our platform videos.
- In the realm of data-and-cloud-computing, administrators of on-premise SharePoint Servers should implement the Antimalware Scan Interface (AMSI) for SharePoint and deploy Microsoft Defender Antivirus on all servers to safeguard against potential cybersecurity threats.
- Mithun Mohandas, a tech journalist with extensive experience, has reported on the growing importance of cybersecurity, especially in the context of recent zero-day vulnerabilities like CVE-2025-53770 and CVE-2025-53771, which have been featured extensively in general-news and crime-and-justice sections.
