Microsoft Patches Critical SharePoint Flaw Under Active Exploitation

A sophisticated cyberattack campaign is targeting organizations running Microsoft SharePoint servers on the premises. Exploiting a critical remote code execution vulnerability, threat actors have already breached dozens of high-profile networks. Microsoft issued emergency patches amid warnings from security firms and federal agencies.

Attackers are actively weaponizing this flaw, gaining administrator-level access to internal systems and extracting sensitive data, according to security experts. The potential for widespread impact is high, particularly in sectors reliant on SharePoint for collaboration.

Deep Dive: The SharePoint Vulnerability

CVE-2025-53770 is a remote code execution flaw in SharePoint’s on-premise versions. It stems from unsafe deserialization of data, allowing attackers to execute malicious code without authentication. The nature of the vulnerability makes it especially dangerous: a single crafted request can be enough for an attacker to seize control.

Another related issue, identified as CVE-2025-53771, introduces risks of spoofing and path traversal, although it is considered to have lower severity. Both vulnerabilities are reportedly being linked to chained exploits for maximum penetration and persistence in targeted networks.

Did you know?
Researchers found that by stealing ASP.NET machine keys through CVE-2025-53770, attackers can generate valid logins across a SharePoint network, bypassing routine patches or password resets.

Who's at Risk?

The primary victims are organizations running SharePoint Server 2016, 2019, and Subscription Edition. Microsoft 365 SharePoint Online remains unaffected. Cybersecurity agencies have confirmed intrusions in government, healthcare, academia, and large enterprises.

Some experts warn that the actual number of compromised organizations may be higher than the reported figure of over 50. Victims may not immediately detect breaches, as attackers are leveraging stolen machine keys to establish deep, stealthy access.

Microsoft’s Response and Guidance

Microsoft has released emergency patches for SharePoint Server 2019 and Subscription Edition to address a critical vulnerability actively exploited in the wild. A security fix for SharePoint 2016 is still pending, prompting urgent guidance from the company. Organizations are instructed to apply the latest updates immediately, enable the Antimalware Scan Interface (AMSI) in Full Mode, and ensure Microsoft Defender Antivirus or equivalent tools are running.

After patching, IT teams must rotate all SharePoint ASP.NET keys and restart IIS services across all servers. If AMSI cannot be enabled, affected systems should be temporarily disconnected from the internet. Experts stress that patching alone does not fully remove the threat, as attackers may have already established persistence. Rotating cryptographic keys is the key to cutting off hidden access and preventing prolonged compromises.

ALSO READ | How Did Chinese Engineers Get Access to US Defense Clouds?

Exploitation in the Wild

Palo Alto Networks Unit 42 and Eye Security report active attacks since mid-July. In multiple cases, attackers bypassed authentication controls, including MFA and SSO, to gain persistent access. Once inside, they exfiltrated data, deployed web shells, and moved stealthily across connected Microsoft services.

CISA has flagged CVE-2025-53770 as a top-priority threat, requiring immediate mitigation for U.S. federal agencies. The interconnected nature of SharePoint means a single compromise can cascade into breaches of critical services like Office, Teams, and OneDrive.

Next Steps for At-Risk

Organizations with internet-facing SharePoint servers should operate under the assumption that compromise has already occurred. Immediate actions include applying Microsoft's emergency patches, enabling AMSI for deeper threat detection, and rotating all sensitive cryptographic material, such as machine keys. Continuous monitoring for unusual activity is essential to identify lingering threats.

Security experts warn that relying solely on patching can leave systems vulnerable to long-term infiltration. A full incident response, including forensic investigation, is critical to uncover hidden access points. The speed and thoroughness of defensive actions now will shape how effectively networks are secured and trust is restored, as attackers actively evolve their methods to exploit any remaining weaknesses.