Ethical Hacking News
Microsoft has released an emergency patch to address a critical zero-day vulnerability in SharePoint Server 2016, which was discovered just weeks after Microsoft's July Patch Tuesday update. The patch was issued on July 21, following updates already available for SharePoint Server 2019 and SharePoint Server Subscription Edition. However, while it should address two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which allowed miscreants to access servers connected to the internet, it is possible that attackers may have already accessed data or systems.
Tens of thousands of servers, including those of US federal and state agencies, were at risk due to the vulnerability.The patch only addressed two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which allowed attackers to access servers connected to the internet.The vulnerability allowed hackers to impersonate users or services even after the SharePoint server was patched, leaving organizations vulnerable to further attacks.Administrators had limited options before the patch was released, including using Microsoft Defender for Endpoint and disconnecting servers from the internet.Cybersecurity experts warned that the vulnerability could lead to data theft, password harvesting, and other security breaches.The incident highlights the importance of staying up-to-date with security patches and taking proactive measures to protect against zero-day vulnerabilities.
Microsoft has released an emergency patch to address a critical zero-day vulnerability in SharePoint Server 2016, which was discovered just weeks after Microsoft's July Patch Tuesday update. The patch was issued on July 21, following updates already available for SharePoint Server 2019 and SharePoint Server Subscription Edition. However, while it should address two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which allowed miscreants to access servers connected to the internet, it is possible that attackers may have already accessed data or systems.
The vulnerability allows hackers to impersonate users or services even after the SharePoint server is patched. Attackers maintain access even after organizations think they're secure. This means that even if an organization thinks it has successfully applied the patch and is now secure, there's still a risk of further attacks.
According to reports, tens of thousands of servers, including those of US federal and state agencies, were at risk. The problem only affected on-premises SharePoint servers – Microsoft 365 was unaffected – and it took Redmond a few days to rush out an emergency patch, first for SharePoint Server 2019 and SharePoint Server Subscription Edition, and now for SharePoint Server 2016.
Until the patches were made available, administrators had limited options. Microsoft Defender for Endpoint could be used to detect and block post-exploit activity, and the Antimalware Scan Interface (AMSI) could have Full Mode enabled to prevent unauthenticated attackers from exploiting the vulnerability. Alternatively, it was a case of disconnecting the servers from the internet until a patch turned up.
Chief Technology Officer at NordVPN, Marijus Briedis, commented on the situation: "The SharePoint vulnerability is exactly what happens when organizations treat security updates as optional. We're looking at unauthenticated access to systems with full access to SharePoint content, enabling attackers to execute code over the network, a complete compromise." He added, "When your employer, bank, or healthcare provider gets hit through SharePoint, the consumer pays the price. SharePoint servers often connect to other Microsoft services such as Outlook and Teams, meaning such a breach can quickly lead to data theft and password harvesting. Emails, financial records, medical data are interconnected, and once attackers are inside, they're harvesting everything."
Briedis also noted that the vulnerability allows hackers to impersonate users or services even after the SharePoint server is patched. Attackers maintain access even after organizations think they're secure. "Once inside, they're exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys," he said. The attack applies to on-premises SharePoint servers, meaning organizations running their infrastructure are sitting ducks until they patch and completely rebuild their security posture.
Microsoft has also provided guidance on how to spot successful exploitation, as did Eye Security, which first reported the zero-day vulnerability, prompting concern among SharePoint administrators over the weekend while Microsoft worked to address the issue.
Now that their servers are patched, administrators must deal with the possible consequences of a malicious intrusion. Microsoft recommends rotating the ASP.NET machine keys and restarting Internet Information Services (IIS) on all SharePoint servers.
Criminals who gained access to servers while the vulnerability was unpatched could have stolen keys to regain access, even after the patch was applied. The incident highlights the importance of staying up-to-date with security patches and taking proactive measures to protect against zero-day vulnerabilities.
In conclusion, Microsoft's latest patch for SharePoint Server 2016 is a crucial step in addressing the critical zero-day vulnerability discovered in the software. However, it also serves as a reminder that organizations must be vigilant in their approach to cybersecurity and take immediate action when faced with potential security threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Patches-Critical-SharePoint-2016-Zero-Day-Vulnerability-Amid-Active-Exploits-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/07/22/microsoft_sharepoint_2016_patch/
Published: Tue Jul 22 09:44:25 2025 by llama3.2 3B Q4_K_M
