{"id":12692,"date":"2025-07-21T11:01:56","date_gmt":"2025-07-21T05:01:56","guid":{"rendered":"https:\/\/thegamersmall.com\/blog\/?p=12692"},"modified":"2025-07-21T11:01:59","modified_gmt":"2025-07-21T05:01:59","slug":"microsoft-sharepoint-vulnerability-2025","status":"publish","type":"post","link":"https:\/\/thegamersmall.com\/blog\/microsoft-sharepoint-vulnerability-2025\/","title":{"rendered":"Critical Microsoft SharePoint Vulnerability Actively Exploited Worldwide"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1200\" height=\"675\" src=\"https:\/\/thegamersmall.com\/blog\/wp-content\/uploads\/2025\/07\/Microsoft-SharePoint-Vulnerability-2025-1200x675.jpg\" alt=\"Microsoft SharePoint Vulnerability 2025\" class=\"wp-image-12693 tgm-img-1\" srcset=\"https:\/\/thegamersmall.com\/blog\/wp-content\/uploads\/2025\/07\/Microsoft-SharePoint-Vulnerability-2025-1200x675.jpg 1200w, https:\/\/thegamersmall.com\/blog\/wp-content\/uploads\/2025\/07\/Microsoft-SharePoint-Vulnerability-2025-300x169.jpg 300w, https:\/\/thegamersmall.com\/blog\/wp-content\/uploads\/2025\/07\/Microsoft-SharePoint-Vulnerability-2025-768x432.jpg 768w, https:\/\/thegamersmall.com\/blog\/wp-content\/uploads\/2025\/07\/Microsoft-SharePoint-Vulnerability-2025-1536x864.jpg 1536w, https:\/\/thegamersmall.com\/blog\/wp-content\/uploads\/2025\/07\/Microsoft-SharePoint-Vulnerability-2025.jpg 1920w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/figure>\n<\/div>\n\n\n<p>A new <strong>Microsoft SharePoint vulnerability<\/strong> is making headlines across the globe\u2014and it&#8217;s not just any flaw. It&#8217;s a <strong>zero-day vulnerability (CVE-2025-53770)<\/strong>, already exploited in the wild, affecting hundreds of servers in government, education, and private sectors.<\/p>\n\n\n\n<p>If your organization uses <strong>on-premises SharePoint Server (2016, 2019, or Subscription Edition)<\/strong>, you may already be exposed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">TL;DR: What to Do Now<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Step<\/th><th>Action<\/th><\/tr><\/thead><tbody><tr><td>\u2705 Patch Now<\/td><td>Subscription &amp; 2019<\/td><\/tr><tr><td>\ud83d\udd10 Isolate<\/td><td>Especially for 2016 servers<\/td><\/tr><tr><td>\ud83d\udd0d Scan<\/td><td>Check for web shells and known threat IPs<\/td><\/tr><tr><td>\ud83d\udddd Rotate Keys<\/td><td>Change ASP.NET machine keys post-breach<\/td><\/tr><tr><td>\ud83d\udea8 Monitor<\/td><td>Enable AMSI + Defender AV immediately<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n<div class=\"root-eb-toc-o2lhw wp-block-essential-blocks-table-of-contents\"><div class=\"eb-parent-wrapper eb-parent-eb-toc-o2lhw \"><div class=\"eb-toc-container eb-toc-o2lhw eb-toc-sticky-left eb-toc-is-sticky eb-toc-collapsible eb-toc-initially-collapsed eb-toc-scrollToTop style-1 list-style-none\" data-scroll-top=\"false\" data-scroll-top-icon=\"fas fa-angle-up\" data-collapsible=\"true\" data-sticky-hide-mobile=\"false\" data-sticky=\"true\" data-scroll-target=\"scroll_to_toc\" data-copy-link=\"false\" data-editor-type=\"\" data-hide-desktop=\"false\" data-hide-tab=\"false\" data-hide-mobile=\"false\" data-itemCollapsed=\"false\" data-highlight-scroll=\"false\"><div class=\"eb-toc-header\"><span class=\"eb-toc-close eb-toc-sticky-left\"><\/span><h2 class=\"eb-toc-title\">JUMP LIST<\/h2><\/div><div class=\"eb-toc-wrapper \" data-headers=\"[{&quot;level&quot;:2,&quot;content&quot;:&quot;TL;DR: What to Do Now&quot;,&quot;text&quot;:&quot;TL;DR: What to Do Now&quot;,&quot;link&quot;:&quot;eb-table-content-0&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;What Is the Microsoft SharePoint Vulnerability?&quot;,&quot;text&quot;:&quot;What Is the Microsoft SharePoint Vulnerability?&quot;,&quot;link&quot;:&quot;what-is-the-microsoft-sharepoint-vulnerability&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Affected Versions of SharePoint&quot;,&quot;text&quot;:&quot;Affected Versions of SharePoint&quot;,&quot;link&quot;:&quot;affected-versions-of-sharepoint&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;What\\u2019s Happening Globally?&quot;,&quot;text&quot;:&quot;What\\u2019s Happening Globally?&quot;,&quot;link&quot;:&quot;whats-happening-globally&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Signs You\\u2019ve Been Compromised&quot;,&quot;text&quot;:&quot;Signs You\\u2019ve Been Compromised&quot;,&quot;link&quot;:&quot;signs-youve-been-compromised&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;How to Fix or Mitigate the Microsoft SharePoint Vulnerability&quot;,&quot;text&quot;:&quot;How to Fix or Mitigate the Microsoft SharePoint Vulnerability&quot;,&quot;link&quot;:&quot;how-to-fix-or-mitigate-the-microsoft-sharepoint-vulnerability&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;What People Also Ask&quot;,&quot;text&quot;:&quot;What People Also Ask&quot;,&quot;link&quot;:&quot;what-people-also-ask&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Final Thoughts&quot;,&quot;text&quot;:&quot;Final Thoughts&quot;,&quot;link&quot;:&quot;final-thoughts&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Useful Resources&quot;,&quot;text&quot;:&quot;Useful Resources&quot;,&quot;link&quot;:&quot;useful-resources&quot;}]\" data-visible=\"[true,true,false,false,false,false]\" data-delete-headers=\"[{&quot;label&quot;:&quot;TL;DR: What to Do Now&quot;,&quot;value&quot;:&quot;tl%3Bdr-what-to-do-now&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;What Is the Microsoft SharePoint Vulnerability?&quot;,&quot;value&quot;:&quot;what-is-the-microsoft-sharepoint-vulnerability&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Affected Versions of SharePoint&quot;,&quot;value&quot;:&quot;affected-versions-of-sharepoint&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;What\\u2019s Happening Globally?&quot;,&quot;value&quot;:&quot;whats-happening-globally&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Signs You\\u2019ve Been Compromised&quot;,&quot;value&quot;:&quot;signs-youve-been-compromised&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;How to Fix or Mitigate the Microsoft SharePoint Vulnerability&quot;,&quot;value&quot;:&quot;how-to-fix-or-mitigate-the-microsoft-sharepoint-vulnerability&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;What People Also Ask&quot;,&quot;value&quot;:&quot;what-people-also-ask&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Final Thoughts&quot;,&quot;value&quot;:&quot;final-thoughts&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Useful Resources&quot;,&quot;value&quot;:&quot;useful-resources&quot;,&quot;isDelete&quot;:false}]\" data-smooth=\"true\" data-top-offset=\"\"><div class=\"eb-toc__list-wrap\"><ul class='eb-toc__list'><li><a href=\"#eb-table-content-0\">TL;DR: What to Do Now<\/a><li><a href=\"#what-is-the-microsoft-sharepoint-vulnerability\">What Is the Microsoft SharePoint Vulnerability?<\/a><li><a href=\"#affected-versions-of-sharepoint\">Affected Versions of SharePoint<\/a><li><a href=\"#whats-happening-globally\">What\u2019s Happening Globally?<\/a><li><a href=\"#signs-youve-been-compromised\">Signs You\u2019ve Been Compromised<\/a><li><a href=\"#how-to-fix-or-mitigate-the-microsoft-sharepoint-vulnerability\">How to Fix or Mitigate the Microsoft SharePoint Vulnerability<\/a><li><a href=\"#what-people-also-ask\">What People Also Ask<\/a><li><a href=\"#final-thoughts\">Final Thoughts<\/a><li><a href=\"#useful-resources\">Useful Resources<\/a><\/ul><\/div><\/div><button class=\"eb-toc-button  eb-toc-button-left\"><div>JUMP LIST<\/div><\/button><\/div><\/div><\/div>\n\n\n<h2 class=\"wp-block-heading\">What Is the Microsoft SharePoint Vulnerability?<\/h2>\n\n\n\n<p>The flaw lies in a <strong>deserialization process<\/strong> within Microsoft SharePoint, allowing <strong>unauthenticated remote code execution (RCE)<\/strong> via crafted requests. Once exploited, attackers can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy stealth <strong>web shells<\/strong> (like <code>spinstall0.aspx<\/code>)<\/li>\n\n\n\n<li>Steal <strong>machine keys<\/strong><\/li>\n\n\n\n<li>Maintain <strong>persistent admin-level access<\/strong>\u2014even after patching<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This <strong>Microsoft SharePoint vulnerability<\/strong> is already linked to breaches in over 75 organizations, including U.S. state agencies and universities.<\/p>\n<\/blockquote>\n\n\n\n<p>Also read <a href=\"https:\/\/thegamersmall.com\/blog\/asus-rog-strix-g16-2025-g615jmr-review\/\">ASUS ROG Strix G16 (2025) Review<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Affected Versions of SharePoint<\/h2>\n\n\n\n<p>This vulnerability affects:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SharePoint Server 2016<\/strong> \u2013 \u274c <em>Patch not yet available<\/em><\/li>\n\n\n\n<li><strong>SharePoint Server 2019<\/strong> \u2013 \u2705 <em>Patch available (KB5002754)<\/em><\/li>\n\n\n\n<li><strong>SharePoint Subscription Edition<\/strong> \u2013 \u2705 <em>Patch available (KB5002768)<\/em><\/li>\n<\/ul>\n\n\n\n<p>Cloud-based <strong>SharePoint Online<\/strong> is not affected.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s Happening Globally?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>United States<\/strong>: CISA has added CVE-2025-53770 to its <strong>Known Exploited Vulnerabilities (KEV)<\/strong> catalog, requiring federal agencies to patch by <strong>July 21, 2025<\/strong>.<\/li>\n\n\n\n<li><strong>Australia<\/strong>: The ACSC (Australian Cyber Security Centre) issued a high-severity advisory warning all businesses to mitigate this <strong>SharePoint vulnerability<\/strong> immediately.<\/li>\n\n\n\n<li><strong>Canada<\/strong>: The Canadian Centre for Cyber Security reported active exploitation inside Canada and released IOC lists for detection.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Signs You\u2019ve Been Compromised<\/h2>\n\n\n\n<p>Your systems may be affected by the Microsoft SharePoint vulnerability if you see:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unknown <code>.aspx<\/code> files like <code>spinstall0.aspx<\/code><\/li>\n\n\n\n<li>Suspicious POST requests to <code>\/_layouts\/15\/ToolPane.aspx<\/code><\/li>\n\n\n\n<li>Outbound connections to these IPs:\n<ul class=\"wp-block-list\">\n<li><code>107.191.58.76<\/code><\/li>\n\n\n\n<li><code>96.9.125.147<\/code><\/li>\n\n\n\n<li><code>104.238.159.149<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How to Fix or Mitigate the Microsoft SharePoint Vulnerability<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Patch Immediately<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>2019 and Subscription Editions<\/strong>: Apply Microsoft\u2019s July 2025 patches<\/li>\n\n\n\n<li><strong>2016 Edition<\/strong>: Await official fix, but proceed to next steps<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Enable Microsoft Defender Antivirus + AMSI<\/strong><\/h3>\n\n\n\n<p>This will help detect exploitation attempts, malicious web shells, and known exploit patterns.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Disconnect Internet-Facing SharePoint Servers<\/strong><\/h3>\n\n\n\n<p>Especially for unpatched 2016 deployments<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>Scan for Web Shells and Indicators of Compromise<\/strong><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">5. <strong>Rotate ASP.NET Machine Keys<\/strong><\/h3>\n\n\n\n<p>If compromise is suspected, key rotation is essential to revoke attacker access.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What People Also Ask<\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1753073190698\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">What is the Microsoft SharePoint vulnerability about?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>It&#8217;s a critical zero-day (CVE-2025-53770) that allows remote code execution without authentication via deserialization flaws.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1753073393891\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Has Microsoft released a patch?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes, but only for SharePoint 2019 and Subscription Edition. 2016 patch is still pending.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1753073835458\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Who discovered the Microsoft SharePoint vulnerability?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Cybersecurity researchers and national security teams confirmed active exploitation. Microsoft and CISA have since validated and published guidance.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1753073843509\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Is SharePoint Online affected?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>No. Only on-premises SharePoint Servers are vulnerable.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts<\/h2>\n\n\n\n<p>This <strong>Microsoft SharePoint vulnerability<\/strong> isn\u2019t theoretical\u2014it\u2019s already breached dozens of networks. If your organization runs an on-prem SharePoint instance, <strong>your attack surface is exposed<\/strong>. Don&#8217;t wait for a breach notification. Take proactive steps now.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Even a patched system can remain vulnerable if the attacker installed backdoors beforehand. Full incident response is recommended post-exploitation.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Useful Resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Advisory<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/20\/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770\" target=\"_blank\" rel=\"noreferrer noopener\">CISA Alert Page<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/thehackernews.com\/2025\/07\/critical-microsoft-sharepoint-flaw.html\" target=\"_blank\" rel=\"noreferrer noopener\">The Hacker News Report<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.washingtonpost.com\/technology\/2025\/07\/20\/microsoft-sharepoint-hack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Washington Post Coverage<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A new Microsoft SharePoint vulnerability is making headlines across the globe\u2014and it&#8217;s not just any flaw. It&#8217;s a zero-day vulnerability (CVE-2025-53770), already exploited in the wild, affecting hundreds of servers in government, education, and private sectors. If your organization uses on-premises SharePoint Server (2016, 2019, or Subscription Edition), you may already be exposed. TL;DR: What&#8230;<\/p>\n","protected":false},"author":1,"featured_media":12693,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[10],"tags":[1225,1216,1219,1217,1224,1222,1223,1221,1218,1212,1220,1215,1211,1213,1214],"class_list":["post-12692","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-alt","tag-cve-2025-53770","tag-cybersecurity-news","tag-defender-amsi","tag-description","tag-filename","tag-image-seo-title","tag-image-suggestion-with-placement","tag-microsoft-security-update","tag-microsoft-sharepoint","tag-patch-alert","tag-sharepoint-rce","tag-sharepoint-vulnerability","tag-web-shell","tag-zero-day-exploit"],"_links":{"self":[{"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/posts\/12692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/comments?post=12692"}],"version-history":[{"count":1,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/posts\/12692\/revisions"}],"predecessor-version":[{"id":12694,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/posts\/12692\/revisions\/12694"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/media\/12693"}],"wp:attachment":[{"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/media?parent=12692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/categories?post=12692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thegamersmall.com\/blog\/wp-json\/wp\/v2\/tags?post=12692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}