In a recent security alert, Microsoft has issued critical updates to address active exploitation of vulnerabilities impacting on-premises SharePoint Server environments. The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, have been linked to ongoing attack campaigns targeting organizations running unsupported or unpatched SharePoint servers.
Microsoft confirms that SharePoint Online in Microsoft 365 remains unaffected by these vulnerabilities, which primarily threaten on-premises deployments.
The affected versions of SharePoint Server are 2016, 2019, and the Subscription Edition. These vulnerabilities could allow malicious actors to execute arbitrary code, potentially leading to server compromise, data theft, or disruption of services. Since security updates include all previous patches, organizations are advised to ensure they have applied the most recent updates to keep their environments protected.
Microsoft’s guidance emphasizes the importance of deploying the provided security updates promptly. as well as enhancing their defenses by enabling advanced threat protection features such as the Antimalware Scan Interface (AMSI) and deploying endpoint protection solutions like Microsoft Defender for Endpoint. Rotating ASP.NET machine keys and restarting IIS after patching are also recommended best practices to strengthen server security.
Microsoft Defender tools are equipped to detect and block malicious behaviors associated with these vulnerabilities, providing organizations with critical early warning capabilities. Security administrators or teams should monitor for suspicious activities such as unauthorized web shell deployments, unusual process behaviors, and signs of post-exploitation activity, which could suggest ongoing attack attempts.
With active exploitation underway, timely patching combined with layered security controls is essential to safeguard sensitive corporate data and maintain operational integrity.
For full details on the security updates including attacker tactics, indicators of compromise and additional protective measures, visit the official Microsoft advisory guidance here.
Leave a Reply