Critical Microsoft SharePoint Vulnerability Actively Exploited Worldwide
A new Microsoft SharePoint vulnerability is making headlines across the globe—and it’s not just any flaw. It’s a zero-day vulnerability (CVE-2025-53770), already exploited in the wild, affecting hundreds of servers in government, education, and private sectors.
If your organization uses on-premises SharePoint Server (2016, 2019, or Subscription Edition), you may already be exposed.
TL;DR: What to Do Now
| Step | Action |
|---|---|
| ✅ Patch Now | Subscription & 2019 |
| 🔐 Isolate | Especially for 2016 servers |
| 🔍 Scan | Check for web shells and known threat IPs |
| 🗝 Rotate Keys | Change ASP.NET machine keys post-breach |
| 🚨 Monitor | Enable AMSI + Defender AV immediately |
What Is the Microsoft SharePoint Vulnerability?
The flaw lies in a deserialization process within Microsoft SharePoint, allowing unauthenticated remote code execution (RCE) via crafted requests. Once exploited, attackers can:
- Deploy stealth web shells (like
spinstall0.aspx) - Steal machine keys
- Maintain persistent admin-level access—even after patching
This Microsoft SharePoint vulnerability is already linked to breaches in over 75 organizations, including U.S. state agencies and universities.
Also read ASUS ROG Strix G16 (2025) Review
Affected Versions of SharePoint
This vulnerability affects:
- SharePoint Server 2016 – ❌ Patch not yet available
- SharePoint Server 2019 – ✅ Patch available (KB5002754)
- SharePoint Subscription Edition – ✅ Patch available (KB5002768)
Cloud-based SharePoint Online is not affected.
What’s Happening Globally?
- United States: CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by July 21, 2025.
- Australia: The ACSC (Australian Cyber Security Centre) issued a high-severity advisory warning all businesses to mitigate this SharePoint vulnerability immediately.
- Canada: The Canadian Centre for Cyber Security reported active exploitation inside Canada and released IOC lists for detection.
Signs You’ve Been Compromised
Your systems may be affected by the Microsoft SharePoint vulnerability if you see:
- Unknown
.aspxfiles likespinstall0.aspx - Suspicious POST requests to
/_layouts/15/ToolPane.aspx - Outbound connections to these IPs:
107.191.58.7696.9.125.147104.238.159.149
How to Fix or Mitigate the Microsoft SharePoint Vulnerability
1. Patch Immediately
- 2019 and Subscription Editions: Apply Microsoft’s July 2025 patches
- 2016 Edition: Await official fix, but proceed to next steps
2. Enable Microsoft Defender Antivirus + AMSI
This will help detect exploitation attempts, malicious web shells, and known exploit patterns.
3. Disconnect Internet-Facing SharePoint Servers
Especially for unpatched 2016 deployments
4. Scan for Web Shells and Indicators of Compromise
5. Rotate ASP.NET Machine Keys
If compromise is suspected, key rotation is essential to revoke attacker access.
What People Also Ask
What is the Microsoft SharePoint vulnerability about?
It’s a critical zero-day (CVE-2025-53770) that allows remote code execution without authentication via deserialization flaws.
Has Microsoft released a patch?
Yes, but only for SharePoint 2019 and Subscription Edition. 2016 patch is still pending.
Who discovered the Microsoft SharePoint vulnerability?
Cybersecurity researchers and national security teams confirmed active exploitation. Microsoft and CISA have since validated and published guidance.
Is SharePoint Online affected?
No. Only on-premises SharePoint Servers are vulnerable.
Final Thoughts
This Microsoft SharePoint vulnerability isn’t theoretical—it’s already breached dozens of networks. If your organization runs an on-prem SharePoint instance, your attack surface is exposed. Don’t wait for a breach notification. Take proactive steps now.
Even a patched system can remain vulnerable if the attacker installed backdoors beforehand. Full incident response is recommended post-exploitation.
