Microsoft SharePoint Under Attack: Zero-Day Bug Exploited
ByAinvest
Monday, Jul 21, 2025 9:19 am ET1min read
AMRZ--
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server on-premises installations. This vulnerability, tracked as CVE-2025-53770, is actively being exploited by threat actors, posing a significant security risk to organizations running SharePoint infrastructure.
The vulnerability, stemming from a deserialization of untrusted data flaw within SharePoint Server environments, allows unauthorized attackers to execute arbitrary code remotely over a network connection. This type of vulnerability is particularly concerning because it can be exploited remotely without requiring authentication, depending on the specific configuration and exposure of the SharePoint server [1].
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, with an extremely tight remediation deadline of July 21, 2025. Organizations are required to take immediate action, including enabling the Anti-Malware Scan Interface (AMSI) and deploying Microsoft Defender Antivirus on all SharePoint servers. For those unable to implement AMSI integration, CISA recommends disconnecting affected public-facing SharePoint products from internet access until official mitigations become available [1].
Microsoft has also issued customer guidance, urging users to upgrade to supported versions of SharePoint Server, apply the latest security updates, and ensure AMSI is turned on and configured correctly. The company is working on security updates for supported versions of SharePoint 2019 and SharePoint 2016 [2].
Organizations with public-facing SharePoint servers are at the highest risk, as these systems can be directly targeted from the internet without requiring initial network compromise. The CVSS 3.1 score for this vulnerability is 9.8 (Critical), indicating its severity [1].
In response to the active exploitation, CISA has provided specific mitigation guidance requiring organizations to configure AMSI integration within SharePoint environments and deploy Microsoft Defender Antivirus on all SharePoint servers. For organizations unable to implement AMSI integration, CISA recommends the more drastic measure of immediately disconnecting affected public-facing SharePoint products from internet access until official mitigations become available [1].
Federal agencies must comply with Binding Operational Directive BOD 22-01 guidance for cloud services, while organizations unable to implement adequate mitigations should consider discontinuing use of the affected products until comprehensive security updates are released.
References:
[1] https://cybersecuritynews.com/cisa-microsoft-sharepoint-server-0-day-rce/
[2] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
MSFT--
A zero-day bug in Microsoft SharePoint is under widespread attack, with the U.S. federal government and cybersecurity researchers sounding the alarm. The bug, known as CVE-2025-53771, affects versions of SharePoint as old as 2016 and allows hackers to steal private digital keys, plant malware, and gain access to files and data. Microsoft is working on security fixes, but customers are urged to take immediate action, including disconnecting potentially affected systems from the internet.
July 02, 2025The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server on-premises installations. This vulnerability, tracked as CVE-2025-53770, is actively being exploited by threat actors, posing a significant security risk to organizations running SharePoint infrastructure.
The vulnerability, stemming from a deserialization of untrusted data flaw within SharePoint Server environments, allows unauthorized attackers to execute arbitrary code remotely over a network connection. This type of vulnerability is particularly concerning because it can be exploited remotely without requiring authentication, depending on the specific configuration and exposure of the SharePoint server [1].
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, with an extremely tight remediation deadline of July 21, 2025. Organizations are required to take immediate action, including enabling the Anti-Malware Scan Interface (AMSI) and deploying Microsoft Defender Antivirus on all SharePoint servers. For those unable to implement AMSI integration, CISA recommends disconnecting affected public-facing SharePoint products from internet access until official mitigations become available [1].
Microsoft has also issued customer guidance, urging users to upgrade to supported versions of SharePoint Server, apply the latest security updates, and ensure AMSI is turned on and configured correctly. The company is working on security updates for supported versions of SharePoint 2019 and SharePoint 2016 [2].
Organizations with public-facing SharePoint servers are at the highest risk, as these systems can be directly targeted from the internet without requiring initial network compromise. The CVSS 3.1 score for this vulnerability is 9.8 (Critical), indicating its severity [1].
In response to the active exploitation, CISA has provided specific mitigation guidance requiring organizations to configure AMSI integration within SharePoint environments and deploy Microsoft Defender Antivirus on all SharePoint servers. For organizations unable to implement AMSI integration, CISA recommends the more drastic measure of immediately disconnecting affected public-facing SharePoint products from internet access until official mitigations become available [1].
Federal agencies must comply with Binding Operational Directive BOD 22-01 guidance for cloud services, while organizations unable to implement adequate mitigations should consider discontinuing use of the affected products until comprehensive security updates are released.
References:
[1] https://cybersecuritynews.com/cisa-microsoft-sharepoint-server-0-day-rce/
[2] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
AInvest
PRO
AInvest
PROEditorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process.
While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context.
Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue
ABOUT US
Our StoryNews AuthorsKnowledge BasePrivacy PolicyTerm of UseThird Party Brokerage DisclaimerAIME Terms of UseAInvest AI Risk DisclosuresCareersCONTACT US
Email: support@ainvest.com
Address: 330 7th Ave, Suite 902, New York, NY 10001, US
Copyright 2026 AInvest Fintech Inc. All rights reserved.
Comments
No comments yet