Microsoft has announced critical security patches for an actively exploited vulnerability in SharePoint, which targets on-premises server customers. The vulnerability, tracked as CVE-2025-53770, has a severity rating of 9.8, indicating a high potential for remote code execution due to improper handling of untrusted data. This flaw has led to active attacks on organizations since mid-July, prompting Microsoft to release an urgent advisory.
Additionally, a new spoofing vulnerability in SharePoint, identified as CVE-2025-53771 with a CVSS score of 6.3, was disclosed. An anonymous researcher is credited with reporting this flaw, which could allow attackers to spoof requests over a network due to an improper limitation in pathnames.
Both CVEs are linked to earlier identified vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which form an exploit chain known as ToolShell, and were previously addressed in the July Patch Tuesday update. While the newly released updates provide enhanced protections compared to the previous vulnerabilities, Microsoft is prioritizing customer notification and correction of any inaccuracies in its communications.
Microsoft emphasizes that these vulnerabilities affect only on-premises SharePoint Server versions, such as SharePoint Server 2016, 2019, and the Subscription Edition, and do not impact SharePoint Online or Microsoft 365 services. To safeguard against potential exploits, organizations are advised to apply security updates, enable the Antimalware Scan Interface (AMSI), implement robust antivirus solutions, and regularly rotate cryptographic keys.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its catalog of Known Exploited Vulnerabilities (KEV), mandating federal agencies to act swiftly and apply fixes. The potential impact of these vulnerabilities is underscored by reports of at least 54 organizations, including government bodies and universities, being compromised.
Experts from Palo Alto Networks are highlighting the urgency of addressing this threat, as attackers are not only breaching identity controls such as multi-factor authentication but are also exfiltrating sensitive data and establishing persistent access. Organizations are strongly encouraged to patch their systems promptly and consider disconnecting SharePoint from internet access until the vulnerabilities are fully addressed.
The situation serves as a crucial reminder of the security challenges that come with on-premises systems and the need for vigilant cybersecurity practices. By taking immediate action, organizations can significantly mitigate their risk and protect sensitive information from potential breaches.