Critical SharePoint vulnerability - immediate action required

Notice: This is a critical vulnerability only found in SharePoint running on-prem.

Two serious security flaws in Microsoft SharePoint—CVE-2025-53770 and CVE-2025-53771—have been used in real-world attacks that compromised at least 85 servers across 29 organizations, including government agencies, banks, hospitals, and universities. Microsoft has released urgent patches and is urging anyone running on-prem SharePoint systems to act immediately (SharePoint Online in Microsoft 365 is not impacted).

The main flaw (CVE-2025-53770) enables unauthenticated remote code execution, allowing attackers to bypass authentication and gain initial access. Once inside, they can steal hidden security keys and create fake credentials that let them maintain access even after the server is patched, unless the keys are rotated. The second flaw (CVE-2025-53771) helps attackers disguise themselves as legitimate users and has been used to chain attacks with CVE-2025-53770.

These flaws bypass Microsoft’s July 2025 patches (CVE-2025-49704 and CVE-2025-49706), showing the original mitigations were incomplete.

Microsoft and U.S. cybersecurity officials say the attackers behind these intrusions are state-linked groups from China, and that attacks began as early as July 7. The hackers targeted sensitive industries and were able to access confidential data and maintain long-term access.

What to do:

1. Install Microsoft's latest SharePoint security updates immediately.
2. Turn on Microsoft's security scanning tools, like Antimalware Scan Interface (AMSI) and Defender Antivirus.
3. Rotate cryptographic keys on your SharePoint servers, which are used to protect data.
4. Restart affected servers to fully apply changes.

Organizations that can't apply these measures right away should disconnect SharePoint from the internet to limit exposure.

For additional information about how to protect your environment and to search your environment for indicators of compromise, refer to the Microsoft Customer Guidance Article and the Microsoft Threat Intelligence Blog article Disrupting active exploitation of on-premises SharePoint vulnerabilities.

Holm Security has released plugins to scan for these vulnerabilities. This knowledge base article describes how to scan for a specific vulnerability.

• HID-2-1-5375136
  Microsoft SharePoint Server 2016 Multiple Vulnerabilities (KB5002760) (July 2025)
• HID-2-1-5377635
  Microsoft SharePoint Server 2019 Multiple Vulnerabilities (KB5002754) (July 2025)
• HID-2-1-5377636
  Microsoft SharePoint Server Subscription Edition Multiple Vulnerabilities (KB5002768) (July 2025)

How to scan for specific vulnerabilities

Holm Security’s platform allows for the assessment of specific vulnerabilities, which makes it possible to find new critical vulnerabilities faster. This knowledge base article describes how.

Need help?

If you have any questions, don't hesitate to reach out. Contact details are found here.