Microsoft has reported that attackers are taking advantage of a newly identified zero-day vulnerability (CVE-2025-53770) affecting on-premises SharePoint servers. This vulnerability is a variant of an earlier patched remote code execution flaw (CVE-2025-49706), and it allows malicious actors to install backdoors and extract security keys, enabling them to seize full control of compromised systems.
With no patch currently available for CVE-2025-53770, Microsoft recommends that organizations with affected SharePoint servers implement precautionary measures. Enabling the Antimalware Scan Interface (AMSI) integration and deploying Microsoft Defender Antivirus on all SharePoint servers can help mitigate risks. Microsoft clarified that AMSI integration was automatically activated in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for Subscription Edition. If enabling AMSI is not feasible, Microsoft advises removing internet access from SharePoint servers and deploying Defender for Endpoint to detect and thwart potential post-exploit activities.
The vulnerability allows attackers to remotely execute code without any user interaction, targeting on-premises versions of SharePoint, including Microsoft SharePoint Server 2019, the Enterprise Server 2016, and the SharePoint Server Subscription Edition. Notably, applications running on Microsoft 365, such as SharePoint Online, are not affected.
Research by Dutch security firm Eye Security indicates that exploitation of this zero-day has been active since at least mid-July. Their findings revealed that attackers used a stealthy malicious file—spinstall0.aspx—to extract cryptographic secrets from SharePoint servers, a method that differs from typical web shell exploits. This more covert approach raises significant concerns about the integrity and security of the affected systems.
Organizations are urged to take prompt action. Those that previously removed their SharePoint servers from internet access or enabled AMSI after the initial attack wave should audit their server logs for signs of compromise. Eye Security has published a continuously updated list of indicators of compromise (IoCs) and recommended following Microsoft’s guidance. For organizations suspected of being attacked, isolating the implicated servers and renewing all credentials and exposed secrets is crucial, as these keys could allow attackers continued access even post-patching.
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, directing all U.S. federal agencies to assess their systems and implement mitigations.
In response to the threat, a decisive community-wide effort could significantly enhance security measures and protect sensitive data. Organizations are encouraged to stay vigilant, utilize available resources, and consult with cybersecurity specialists if necessary to safeguard their infrastructures.