If Your Business Uses These Versions of Microsoft SharePoint, Patch Them Now
Microsoft has issued urgent security patches for multiple critical vulnerabilities in its on-premises SharePoint Server, warning that these flaws are being actively exploited by attackers, including suspected nation-state actors. The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, pose significant risks to businesses using SharePoint Server Subscription Edition, 2019, and 2016.
CVE-2025-53770, with a severity score of 9.8, allows remote code execution (RCE), enabling attackers to run arbitrary code on SharePoint servers by sending specially crafted requests. This exploit can lead to full server compromise. CVE-2025-53771, rated at 7.1, facilitates spoofing via path traversal, which attackers can use to escalate privileges or bypass security controls.
These vulnerabilities are closely linked to earlier flaws (CVE-2025-49704 and CVE-2025-49706), which were partially mitigated but can now be chained in attacks. This “ToolShell” technique allows attackers to exploit multiple weaknesses for more effective breaches.
Organizations at highest risk include those with public-facing SharePoint servers, particularly in sectors like government, education, and energy. At least two U.S. federal agencies have been breached due to these vulnerabilities, with additional attacks reported in North America and Australia.
Microsoft and security agencies have identified active exploitation by sophisticated hacking groups, including Chinese nation-state actors such as Linen Typhoon, Violet Typhoon, and Storm-2603. These attackers have used the vulnerabilities to establish persistent access, steal data, and move laterally within compromised networks.
Microsoft strongly advises all on-premises SharePoint Server users to apply the latest cumulative security updates immediately. These patches address CVE-2025-53770, CVE-2025-53771, and related vulnerabilities. Organizations should refer to Microsoft’s official update channels to download and install the correct update package for their SharePoint Server edition.
As an additional layer of defense, businesses should ensure they are using supported versions of SharePoint Server, deploy advanced endpoint protection tools, enable the Antimalware Scan Interface (AMSI) with up-to-date antivirus software, and rotate ASP.NET machine keys to invalidate potentially stolen credentials.
Microsoft has also released threat intelligence, including attack techniques, indicators of compromise, and guidance for detecting and responding to these vulnerabilities. Organizations are urged to monitor for suspicious activity and act quickly, as attackers are likely to continue targeting unpatched systems.
It’s important to note that these vulnerabilities do not affect SharePoint Online or Microsoft 365 cloud customers. However, businesses using unsupported or end-of-life SharePoint versions remain at risk, as they may not receive these critical security updates.
Failing to patch these vulnerabilities could leave organizations vulnerable to high-profile cyberattacks and data breaches. Microsoft, federal cybersecurity agencies, and industry experts are unanimous in their call for immediate action to secure on-premises SharePoint deployments.
Critical Vulnerabilities and Exploitation Techniques
The critical vulnerability at the center of the attacks is CVE-2025-53770, which holds a severity score (CVSS) of 9.8. It allows remote code execution (RCE), meaning an attacker can run arbitrary code on the SharePoint server by sending specially crafted requests, exploiting the deserialization of untrusted data. This gives attackers the potential to fully compromise vulnerable servers.
Another related vulnerability, CVE-2025-53771 (CVSS 7.1), enables spoofing via path traversal, which can be used as part of multi-step attacks, including facilitating further privilege escalation or bypassing security controls. These latest flaws are closely related to earlier vulnerabilities (CVE-2025-49704 and CVE-2025-49706), which were previously patched but have now been shown to be only partially mitigated; attackers are able to chain these vulnerabilities (a technique known as “ToolShell”) for effective exploitation.
Who Is at Risk
Only on-premises SharePoint Server instances are affected. SharePoint Online and Microsoft 365 cloud customers are NOT vulnerable. Organizations with public-facing SharePoint Servers are at highest risk for attack. At least two U.S. federal agencies have suffered breaches traced to these vulnerabilities, with further attacks reported across North America and Australia.
Nature and Impact of Attacks
Microsoft and security agencies report active exploitation by sophisticated hacking groups, including Chinese nation-state threat actors such as Linen Typhoon, Violet Typhoon, and Storm-2603. Attackers have leveraged these exploits to establish persistent access, steal data, and potentially move laterally within victim organizations.
What Organizations Must Do
Apply Microsoft’s latest cumulative security updates for supported on-premises SharePoint Server versions (Subscription Edition, 2019, 2016) without delay. These patches fully address CVE-2025-53770, CVE-2025-53771, and related vulnerabilities. Refer to Microsoft’s official update channels to download and install the correct update package for your SharePoint Server edition.
As an added layer of defense:
- Use supported versions of SharePoint Server only.
- Deploy advanced endpoint protection (like Microsoft Defender for Endpoint or third-party equivalents).
- Ensure the Antimalware Scan Interface (AMSI) is enabled and configured alongside up-to-date antivirus tools.
- Rotate SharePoint Server ASP.NET machine keys to invalidate potentially stolen credentials.
- Consult published threat intelligence and hunting guidance to detect signs of exploitation or ongoing compromise within your environment.
Detection and Threat Response
Microsoft has released threat intelligence—including attack techniques, indicators of compromise, and detailed guidance for security teams. Organizations should immediately look for suspicious behavior associated with these vulnerabilities.
The rapid escalation of attacks suggests that adversaries will continue to target unpatched systems; urgent action is necessary to minimize risk.
Limitations/Caveats
These vulnerabilities do not affect SharePoint Online or other Microsoft cloud-hosted collaboration tools. However, patching guidance is only applicable to supported versions; end-of-life or unsupported SharePoint versions may not receive these security updates, placing those organizations at ongoing risk.
Conclusion
The discovery of critical vulnerabilities in Microsoft SharePoint Server, particularly CVE-2025-53770 and CVE-2025-53771, underscores the urgent need for organizations to prioritize security updates. These flaws, actively exploited by sophisticated attackers, pose significant risks to data integrity and system security. By applying the latest cumulative security updates and implementing additional protective measures, businesses can mitigate these threats and safeguard their on-premises SharePoint environments. The rapid escalation of attacks highlights the importance of immediate action to avoid potential breaches and their far-reaching consequences.
Frequently Asked Questions (FAQ)
What versions of Microsoft SharePoint are affected by these vulnerabilities?
These vulnerabilities impact on-premises SharePoint Server versions, including SharePoint Server Subscription Edition, 2019, and 2016. SharePoint Online and Microsoft 365 cloud customers are not affected.
What are the CVEs associated with these vulnerabilities?
The critical vulnerabilities are identified as CVE-2025-53770 (severity 9.8) and CVE-2025-53771 (severity 7.1). These are being actively exploited by attackers.
How can I detect if my SharePoint Server has been compromised?
Monitor for suspicious activity, including unauthorized access, data theft, or lateral movement within your network. Refer to Microsoft’s published threat intelligence and indicators of compromise (IoCs) for guidance on detection and response.
What steps should organizations take beyond patching?
Organizations should deploy advanced endpoint protection tools, enable AMSI with updated antivirus software, rotate ASP.NET machine keys, and ensure they are using supported SharePoint Server versions. Additional security measures include monitoring for suspicious activity and applying Microsoft’s threat intelligence guidance.
What if I cannot patch immediately?
If patching is delayed, prioritize monitoring for signs of exploitation and consider temporary mitigations. However, immediate patching is strongly recommended to prevent exploitation by attackers.