Uncovered: Severe, Unpatched Vulnerability in On-Premises SharePoint Systems - action steps provided
On July 20, 2025, Microsoft released patches for SharePoint Server 2019 and Subscription Edition to address a critical vulnerability (CVE-2025-53770). The company is still developing patches for SharePoint Server 2016.
This vulnerability, which has a CVSS score of 9.8 (Critical), allows unauthenticated remote code execution (RCE) and persistent unauthorized access. It targets on-premises SharePoint Server installations by abusing an unauthenticated deserialization of untrusted data vulnerability.
The exploitation is sophisticated, building on prior flaws like CVE-2025-49704, and has been observed in widespread, aggressive campaigns. At least 75 organizations globally have been compromised, including U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm.
The technical root cause involves improper deserialization, where SharePoint processes malicious data without proper validation, leading to arbitrary code execution. Attackers upload malicious .aspx files to the SharePoint /layouts/15/ToolPane.aspx endpoint via a crafted HTTP request with a special Referer header, extract cryptographic secrets, and forge valid authentication tokens to maintain control.
Affected systems include SharePoint Server 2016, 2019, Subscription Edition, and older unsupported versions like SharePoint 2010 and 2013. SharePoint Online (Microsoft 365) is not affected; however, SharePoint Server instances hosted in cloud infrastructure (IaaS/PaaS) remain vulnerable.
Microsoft has provided urgent mitigation steps, including the application of available patches, enabling Antimalware Scan Interface (AMSI), deploying Microsoft Defender for Endpoint, disconnecting internet-facing servers, rotating machine keys, and monitoring for compromise.
To optimize protection, organizations should also enable AMSI integration and deploy Microsoft Defender Antivirus in Full Mode across all SharePoint servers. Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF) should be updated to block exploit patterns and anomalous behavior targeting /_layouts/15/ToolPane.aspx.
Indicators of Compromise (IoCs) include the presence of spinstall0.aspx in the specified path, exploitation attempts from specific IPs, and monitoring for specific POST requests in IIS logs.
Microsoft Defender for Endpoint or equivalent solutions can be used to detect and block post-exploit activity. For more detailed technical analysis, detection guidance, IoCs, and ongoing updates, consult reputable security research sources.
If AMSI cannot be enabled or patches are unavailable, SharePoint servers should be disconnected from the internet to prevent further exploitation. Organizations should prioritize patching vulnerable SharePoint servers even if hosted in cloud infrastructures since self-managed instances are not inherently protected.
The ongoing mass exploitation of CVE-2025-53770 underscores the importance of timely patching, network and endpoint monitoring, and robust cybersecurity measures.
- To mitigate the impact of the critical vulnerability (CVE-2025-53770) in SharePoint Server 2016, Microsoft is still developing patches.
- The ongoing exploitation of CVE-2025-53770 involves cybersecurity attacks on web applications, specifically targeting SharePoint Server installations in on-premises setups.
- To enhance productivity and security, organizations should enable Antimalware Scan Interface (AMSI) integration and deploy Microsoft Defender Antivirus in Full Mode across all SharePoint servers.
- With the critical vulnerability (CVE-2025-53770) affecting SharePoint Server 2016, 2019, Subscription Edition, and older unsupported versions like SharePoint 2010 and 2013, patches and security measures should be prioritized, even for cloud-hosted instances.
- Cybersecurity measures, such as monitoring for compromise, updating Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF), and deploying Microsoft Defender for Endpoint, can help detect and prevent cyberattacks, ensuring data security and technology system protection.
