Microsoft released an emergency patch in July 2025 to address a critical zero-day vulnerability, tracked as CVE-2025-53770, in on-premises SharePoint servers.
Hackers exploited this flaw through the deserialization of untrusted data, enabling unauthenticated remote code execution and full control over targeted servers.
The attacks began in early July and escalated rapidly, impacting hundreds of organizations globally, including federal agencies and critical infrastructure.
Compromised systems included SharePoint 2016, 2019 and Subscription Edition, although the cloud-based SharePoint Online was not affected.
Attackers leveraged this vulnerability to steal sensitive data, deploy ransomware, and gain persistent access even after patches were applied by targeting machine keys used for authentication.
The Shadowserver Foundation reported more than 300 confirmed compromises, while researchers noted thousands of exposed SharePoint servers still vulnerable as of late July.
Source: https://www.ctvnews.ca/business/article/microsoft-releases-urgent-fix-for-sharepoint-vulnerability-being-used-in-global-cyberattacks/
Commentary
Microsoft responded by issuing urgent advisories and providing detailed mitigation instructions: apply all relevant patches immediately, enable or upgrade Antimalware Scan Interface integration, rotate ASP.NET machine keys, and restart Internet Information Services (IIS) on all SharePoint servers.
When updates or key actions cannot be taken immediately, organizations were urged to disconnect servers from the internet or limit external access using proxies or authentication gateways.
Security agencies, including the US's CISA and the UK's NCSC also warned organizations to act on these steps to avoid widespread impact and further exploitation by attackers deploying ransomware variants such as Warlock and LockBit.
SharePoint is especially vulnerable because it is widely used for document sharing and collaboration within organizations, providing broad access privileges and deep integration with other business-critical services. Its complex permission structures, reliance on on-premises servers maintained by local IT teams, and frequent use for highly sensitive data make it a prime target for attackers.
Vulnerabilities like remote code execution, especially when stemming from unsafe deserialization logic, allow even unauthenticated attackers to gain entry if systems are not rigorously updated and monitored.
Once compromised, SharePoint's connections to platforms such as Teams and OneDrive can enable lateral movement, data theft, and ransomware deployment.
Organizations can reduce risk by maintaining disciplined patching procedures, ensuring all security updates are applied as soon as they are released.
Key rotation for authentication tokens and machine keys following updates is essential for preventing post-exploit persistence.
Using Antimalware Scan Interface and Defender for Endpoint, or similar solutions, enhances security by detecting unauthorized activity at multiple levels.
Employing multi-factor authentication limits attackers' ability to increase privileges. Reduce exposure by carefully restricting access to sensitive documents only to those who truly need them.
Monitoring for unusual file access, login patterns outside normal geographies, or signs of brute-force attempts can provide early warning of intrusions.
