Microsoft has warned of a critical zero-day vulnerability in SharePoint Server that is being exploited on a large scale. Emergency patches have been available since July 20.
The vulnerability, registered as CVE-2025-53770, allows attackers to remotely execute code on affected servers. According to Microsoft, only on-premises SharePoint installations are affected; SharePoint Online in Microsoft 365 is not vulnerable to this attack.
The company reports that it has been actively detecting attacks exploiting this vulnerability since July 18. The attackers appear to be able to bypass existing security measures that were previously introduced as part of updates in July. These new attack methods rely on a previously discovered vulnerability that was demonstrated in May at the Pwn2Own event in Berlin, where researchers made it possible to gain complete control over a server with a single request.
Emergency patches now available
Microsoft has now released emergency patches for SharePoint Server 2019 and the Subscription Edition. An update for SharePoint Server 2016 is currently in development but will follow shortly. Customers running these versions are strongly advised to install the available updates immediately. If this is not possible, Microsoft recommends temporarily disconnecting the affected servers from the internet to prevent further damage.
To mitigate further attacks, Microsoft recommends enabling AMSI (Antimalware Scan Interface) and installing Defender Antivirus on all SharePoint servers. AMSI has been enabled by default since September 2023, but in some cases it must be verified manually. In addition, the company recommends rotating ASP.NET machine keys after applying the updates or enabling AMSI. This prevents previously stolen validation keys from being used by malicious parties.
The US Cybersecurity and Infrastructure Security Agency (CISA) has now added the vulnerability to its catalog of known threats and requires government agencies to take action within 24 hours of a patch becoming available. Several cybersecurity companies, including the Dutch Eye Security, have now confirmed dozens of breaches at both commercial and public organizations worldwide.
Microsoft has shared instructions in its technical documentation on how to check whether a SharePoint server has been compromised. Systems where the suspicious file ‘spinstall0.aspx’ is present or suspicious HTTP requests are logged in the IIS logs should be considered compromised. Organizations are advised to immediately start a forensic investigation and take affected systems offline.