Advertisement

🚀 Try NucleiFuzzer – Your Web VAPT Automation Tool

Supercharge your bug bounty or pentesting workflow! NucleiFuzzer automates XSS, LFI, RCE & more using Nuclei + Fuzzing Templates.

⚠️ Critical Vulnerability In Microsoft SharePoint Server - CVE-2025-53770

A critical security vulnerability has been identified in Microsoft SharePoint Server that is actively being exploited in the wild. Tracked as CVE-2025-53770 (CVSS 9.8), this flaw is a variant of CVE-2025-49706 (CVSS 6.3), a spoofing vulnerability that was previously patched.

Last Updated: July 19, 2025


What’s the issue?

This vulnerability enables unauthorized remote code execution (RCE) via deserialization of untrusted data in on-premises SharePoint Server. This allows attackers to gain access without authentication, posing a severe risk to enterprise environments.

🛡️ Microsoft’s Response

According to Microsoft’s official advisory released on July 19, 2025:

  • No patch is currently available. The Microsoft Security Response Center (MSRC) is actively working on a fix.
  • SharePoint Online (Microsoft 365) is not affected.
  • Organizations are advised to take mitigation steps immediately.

🔗 Read Official Microsoft Advisory

🚨 Emergency Mitigation Steps

  • Enable Antimalware Scan Interface (AMSI) integration in SharePoint Server.
    ➡️ Microsoft’s AMSI Guidance
  • Deploy Microsoft Defender Antivirus on all SharePoint servers.
  • ⚠️ If AMSI cannot be enabled, disconnect vulnerable servers from the internet until the patch is released.


🚨 Why This is a Major Concern

Eye Research, the cybersecurity firm that discovered the flaw, confirmed that attackers can exploit this vulnerability to:

  • Bypass authentication mechanisms like MFA or SSO
  • Access all SharePoint content and system configuration files
  • Move laterally across other systems within the same Windows domain
  • Steal cryptographic keys, impersonate services, and users

Even after Microsoft releases a patch, organizations must rotate all secrets and cryptographic keys to regain full security.

🔗 Attack Chain Observations

Cybersecurity teams from Eye Security and Palo Alto Networks Unit 42 have reported that attackers are chaining this flaw with other high-severity vulnerabilities:

  • CVE-2025-49706: Spoofing vulnerability
  • CVE-2025-49704: Code injection vulnerability (CVSS 8.8)

The campaign, codenamed ToolShell, uses PowerShell scripts to deliver malicious ASPX payloads and extract MachineKey configuration (ValidationKey and DecryptionKey) from compromised servers. This enables persistent access and RCE capabilities even after a restart.

📢 Expert Statement

Piet Kerkhofs, CTO at Eye Security:

“We are still identifying mass exploitation waves. Adversaries are moving quickly using this RCE vulnerability. We've notified nearly 75 breached organizations, including major companies and government agencies worldwide.”


🛡️ Immediate Security Measures

  • Enable AMSI (already default on SharePoint Server 2016/2019 from Sept 2023, and Subscription Edition 23H2)
  • Use Microsoft Defender for Endpoint to monitor post-exploitation behavior
  • Disconnect vulnerable systems if AMSI can't be enabled

Stay tuned to Microsoft’s official updates and apply the patch as soon as it's available.

📄 Emergency Guidance by Microsoft


📌 Summary Table

Vulnerability CVSS Score Impact Status
CVE-2025-53770 9.8 Remote Code Execution (RCE) Actively Exploited, No Patch Yet
CVE-2025-49706 6.3 Spoofing Patched
CVE-2025-49704 8.8 Code Injection Observed in ToolShell Campaign

Stay vigilant and secure your SharePoint infrastructure before it’s too late.

Support me: If you'd like to support me, buy me a cup of  Coffee ☕

Follow me:  Medium |  LinkedIn |  Twitter

Post a Comment

0 Comments