Ethical Hacking News
A critical security vulnerability in Microsoft SharePoint Server has been exploited in large-scale attacks, affecting more than 75 companies worldwide. The CVE-2025-53770 zero-day flaw allows unauthorized attackers to execute code over a network after deserialization of untrusted data in on-premises Microsoft SharePoint Server. To protect against this threat, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration and deploy Defender AV on all SharePoint servers.
CVE-2025-53770, a critical security vulnerability in Microsoft SharePoint Server, has been actively exploited by attackers.The vulnerability allows unauthorized attackers to execute code over a network after deserialization of untrusted data.The attack targets on-premises SharePoint Server customers but not SharePoint Online in Microsoft 365.Microsoft has released a patch for the vulnerability and is recommending customers to configure Antimalware Scan Interface (AMSI) integration and deploy Defender AV on all SharePoint servers.Cybersecurity companies are urging customers to take immediate action to protect themselves from this vulnerability due to its critical nature and widespread impact.
CVE-2025-53770, a critical security vulnerability in Microsoft SharePoint Server, has been weaponized as part of an "active, large-scale" exploitation campaign. This zero-day flaw, tracked by the Cybersecurity and Infrastructure Security Agency (CISA) and widely reported on cybersecurity forums, allows an unauthorized attacker to execute code over a network after deserialization of untrusted data in on-premises Microsoft SharePoint Server.
The vulnerability, described as a variant of CVE-2025-49704, a code injection and remote code execution bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates, has been found to be actively exploited by attackers. This exploitation campaign targets on-premises SharePoint Server customers but not SharePoint Online in Microsoft 365.
The attack vector involves abusing how SharePoint deserializes untrusted objects, allowing attackers to execute commands even before authentication takes place. Once inside, the attackers can forge trusted payloads using stolen machine keys to persist or move laterally, often blending in with legitimate SharePoint activity—making detection and response especially difficult without deep endpoint visibility.
Microsoft has released a patch for CVE-2025-53770 as part of its comprehensive update to resolve the issue. However, due to its critical nature and widespread impact, several cybersecurity companies and organizations are urging customers to take immediate action to protect themselves from this vulnerability.
Eye Security, in collaboration with Palo Alto Networks Unit 42, has warned about attacks chaining CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in SharePoint, and CVE-2025-49704 to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.
To mitigate this risk, Microsoft is recommending customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers. For those who cannot enable AMSI, it's advised that the SharePoint Server should be disconnected from the internet until a security update is available.
Furthermore, several major cybersecurity companies are advising users to adopt additional measures for added protection against post-exploit activity. The vulnerability highlights the need for regular patching and continuous monitoring of endpoint devices and systems.
The discovery of this critical unpatched SharePoint zero-day exploit underscores the importance of timely updates and proactive security measures in preventing widespread attacks on enterprise networks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Unpatched-SharePoint-Zero-Day-Exploited-in-Large-Scale-Attacks-ehn.shtml
https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Mon Jul 21 19:38:54 2025 by llama3.2 3B Q4_K_M
