Critical SharePoint Zero-Day CVE-2025-53770 Actively Exploited
Key Insights
CVE-2025-53770 is a critical zero-day vulnerability: in Microsoft SharePoint Server, enabling remote code execution.
Attackers are exploiting this flaw: to place backdoors and steal security keys, leading to full system takeover.
The vulnerability affects on-premises SharePoint Server: 2019, SharePoint Enterprise Server 2016, and SharePoint Server Subscription Edition.
Microsoft advises enabling Antimalware Scan Interface (AMSI): integration and deploying Defender AV on all SharePoint servers as a temporary fix.
Over 85 SharePoint servers have been compromised: globally, impacting multinational firms and government entities.
Why this matters:: This vulnerability poses a severe threat to organizations using on-premises SharePoint, potentially leading to data theft, lateral movement across networks, and complete system compromise. Immediate action is required to mitigate the risk until a patch is available.
In-Depth Analysis
The CVE-2025-53770 vulnerability stems from SharePoint's deserialization of untrusted data, allowing attackers to execute commands even before authentication. Once inside, they can forge trusted payloads using stolen machine keys to persist and move laterally. This makes detection and response particularly difficult.
Eye Security discovered that attackers are using a stealthy `spinstall0.aspx` file to extract cryptographic secrets from the SharePoint server. These secrets, including the ValidationKey and DecryptionKey, are crucial for generating valid __VIEWSTATE payloads, effectively turning any authenticated SharePoint request into a remote code execution opportunity.
Microsoft recommends that, in the absence of a patch, users should configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. If enabling AMSI is not an option, disconnecting the SharePoint server from the internet is advised.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert, urging organizations with on-premise Microsoft SharePoint servers to take immediate action.
FAQs
What is CVE-2025-53770?
It is a critical zero-day vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution.
Which SharePoint versions are affected?
On-premises SharePoint Server 2019, SharePoint Enterprise Server 2016, and SharePoint Server Subscription Edition are affected. SharePoint Online is not vulnerable.
What are the recommended mitigations?
Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, disconnect the SharePoint server from the internet.
What should organizations do if they suspect a compromise?
Isolate affected servers, renew all credentials and system secrets, and consider engaging incident response experts.
Key Takeaways
Immediate Action:: If you use on-premises SharePoint Server, take immediate steps to mitigate CVE-2025-53770.
Enable AMSI and Defender AV:: Configure Antimalware Scan Interface (AMSI) integration and deploy Defender AV on all SharePoint servers.
Monitor for Compromise:: Check server logs for indicators of compromise and follow Microsoft's customer guidance.
Renew Credentials:: If a compromise is detected, isolate affected servers and renew all credentials and system secrets.
Stay Updated:: Keep informed about updates from Microsoft and CISA regarding this vulnerability.
Discussion
Do you think these mitigation steps are sufficient to protect against the exploit until a patch is released? Let us know in the comments below!
Share this article with others who need to stay ahead of this trend!
⚠ Disclaimer: Yanuki provides article summaries and links for reference only. Yanuki does not endorse, verify, or guarantee the accuracy of third-party sources. Please review original sources and verify information independently. Managed by the Yanuki Data Engine. Full Disclaimer