Microsoft Notifies Companies and Government Institutions of Attacks on SharePoint Infrastructure
A critical zero-day vulnerability (CVE-2025-53770, CVSS 9.8) in on-premises Microsoft SharePoint Server is currently being exploited in a series of large-scale attacks, affecting government agencies, businesses, and organisations worldwide. The flaw, a variant of previously patched remote code execution (RCE) vulnerabilities, allows unauthenticated attackers to execute arbitrary code on vulnerable systems [1][3][4].
The attacks, first reported by The Washington Post, have compromised at least 85 SharePoint Servers, with victims including major companies and government bodies across multiple countries [4]. Security firm Eye Security has clustered these attacks to at least 29 distinct organisations as of late July 2021 [4].
The vulnerability stems from insecure deserialization of untrusted data in SharePoint Server, permitting attackers to run commands over the network [1]. As a result, attackers are installing webshells, stealing SharePoint MachineKeys, and establishing persistent, unauthenticated access to victim systems [2][3]. This allows full system takeover, lateral movement, and blending with legitimate activity, making detection difficult [1][3].
Affected products include on-premises SharePoint Server 2016, 2019, and Subscription Edition exposed to the internet. SharePoint Online (Microsoft 365) is not affected [1][4]. Microsoft is currently working on updates for the 2016 and 2019 versions of SharePoint and has been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners globally [5].
Until a patch is available, Microsoft recommends enabling Antimalware Scan Interface (AMSI) in SharePoint, deploying Defender for Endpoint for detection and blocking of post-exploit activity, and isolating servers from the internet if AMSI cannot be enabled [2]. Security teams are advised to monitor for suspicious activity such as requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit, creation of spinstall0.aspx, and connections from specific IP addresses [4].
If systems are patched but MachineKeys are not rotated, attackers may retain access [4]. It is therefore important for affected organisations to prioritise isolating affected systems, applying mitigations, and preparing for rapid patch deployment once available [2][4].
Governments and businesses using on-premises SharePoint should be aware of the urgency of the situation and take immediate action to implement mitigations due to the scale and sophistication of the attacks [1][3][4]. Defenders must remain vigilant for evolving attacker tactics, as payloads and IPs are likely to change rapidly [4].
This incident underscores the critical risk to organisations running exposed, on-premises SharePoint Servers and highlights the need for rapid response and layered defenses until a patch is available [1][2][4].
- In light of the ongoing attacks and considering the severity of the vulnerability in SharePoint Servers, businesses and government agencies should consider implementing additional cybersecurity measures, such as deploying Antimalware Scan Interface (AMSI) and Defender for Endpoint, to protect their systems effectively.
- As the zero-day vulnerability in Microsoft SharePoint Server impacts multiple businesses and organizations worldwide, it is crucial for these entities to prioritize security protocols, including monitoring for suspicious activities and machine key rotation, to prevent unauthorized access and ensure business continuity.
