Critical zero-day flaws in Microsoft SharePoint exploited; urgent patches released

Two critical zero-day vulnerabilities in Microsoft SharePoint — CVE‑2025‑53770 and CVE‑2025‑53771 — were recently discovered being actively exploited in remote code execution (RCE) attacks. The flaws allowed attackers to upload malicious .aspx webshells to unpatched on-premises SharePoint servers, extract machine keys, and maintain persistent access even after system reboots or updates. Initial attacks were linked to techniques demonstrated at the recent Pwn2Own contest, and more than 85 compromised servers were identified worldwide.

Before patches were available, Microsoft recommended immediate mitigations: enabling Antimalware Scan Interface (AMSI), deploying Defender Antivirus, rotating ASP.NET machine keys, and checking for malicious uploads and unusual IIS logs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2025‑53770 to its Known Exploited Vulnerabilities catalog, requiring rapid action from federal agencies to reduce exposure.

Emergency security updates were released on July 21 for SharePoint Server 2019 and the Subscription Edition, with a patch for SharePoint 2016 still pending. Microsoft emphasized that these updates offer stronger protection than previous ones and urged administrators to apply them promptly, rotate credentials, and conduct forensic checks to ensure systems haven't been compromised. Only on-premises SharePoint deployments were affected; cloud-hosted environments remain secure.