Microsoft SharePoint, a widely used platform for creating websites and managing information, is currently in the spotlight due to actively exploited vulnerabilities affecting its on-premises servers. Two zero-day vulnerabilities, designated as CVE-2025-53770 and CVE-2025-53771, have already led to the compromise of over 75 servers.
Earlier, two SharePoint vulnerabilities (CVE-2025-49706 and CVE-2025-49704), were discovered and patched in July. However, attackers have adapted and developed new exploits to bypass those fixes, leading to the emergence of CVE-2025-53770 and CVE-2025-53771. These new zero-days have been actively exploited, causing significant concern. Notably, CVE‑2025‑53770 is also added to CISA’s Known Exploited Vulnerabilities catalog on 20 July 2025.
These vulnerabilities in SharePoint stem from weakness in how the platform handles data and file access. CVE-2025-53770, which has a CVSS score of 9.8, arises from improper deserialization of untrusted data. SharePoint processes external data without properly validating it, allowing attackers to execute harmful code on the server remotely, without the need for any authentication. The second vulnerability, CVE-2025-53771, with a CVSS score of 6.3, is a path traversal vulnerability. This means attackers with some level of access to the system can manipulate file paths to reach restricted directories or files, enabling them to perform unauthorized actions. These two vulnerabilities combined pose a significant risk for attackers to breach servers and steal confidential data.
Only the on-premises SharePoint server is vulnerable; the SharePoint online cloud service (part of Microsoft 365) is not affected.
Microsoft has released patches for SharePoint Server 2019, SharePoint Subscription Edition, and SharePoint Server 2016. For organizations that cannot apply these patches immediately, Microsoft recommends enabling Antimalware Scan Interface (AMSI) on SharePoint servers, and it is also advised to deploy Microsoft Defender Antivirus to add an extra layer of protection. If neither option is feasible, the safest course of action is to disconnect the SharePoint server from the internet temporarily until fixes become available. Additionally, after patching or enabling AMSI, it is crucial to rotate SharePoint's machine keys to prevent further misuse of the previously compromised services.
In today’s fast-changing cyber threat landscape, the SharePoint zero-day vulnerabilities highlight how attackers can quickly exploit even well-established platforms. With timely patching and proactive security measures, you can stay one step ahead and protect your organization’s critical data. Ensure your SharePoint servers are updated with the latest security patches and follow recommended best practices like enabling AMSI and rotating machine keys.
With Endpoint Central, Patch Manager Plus and Vulnerability Manager Plus, you can stay ahead—patching vulnerabilities promptly and managing device security proactively. Visit our forum post to learn more about how to safeguard your SharePoint environment.