Loading
Yanuki
ARTICLE DETAIL
Critical SharePoint Zero-Day CVE-2025-53770 Actively Exploited | 7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation | Samsung Issues Emergency Security Update for Galaxy Users | Weekly Cybersecurity Bulletin: Apple Zero-Day, Chrome Vulnerabilities & Cyber Attacks | Zero-Day Vulnerability Could Have Compromised Millions of Cursor and Windsurf Users | CISA Warns of Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs | Critical SharePoint Zero-Day CVE-2025-53770 Actively Exploited | 7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation | Samsung Issues Emergency Security Update for Galaxy Users | Weekly Cybersecurity Bulletin: Apple Zero-Day, Chrome Vulnerabilities & Cyber Attacks | Zero-Day Vulnerability Could Have Compromised Millions of Cursor and Windsurf Users | CISA Warns of Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs

Vulnerabilities / Zero Day

Critical SharePoint Zero-Day CVE-2025-53770 Actively Exploited

A critical zero-day vulnerability, CVE-2025-53770, is actively being exploited in Microsoft SharePoint Server, leading to widespread breaches. This flaw allows unauthenticated remote code execution, granting attackers significant control ov...

Global hack on Microsoft product hits U.S., state agencies, researchers say
Share
X LinkedIn

zero day
Critical SharePoint Zero-Day CVE-2025-53770 Actively Exploited Image via The Washington Post

Key Insights

  • **CVE-2025-53770 is a critical zero-day vulnerability** in Microsoft SharePoint Server, enabling remote code execution.
  • **Attackers are exploiting this flaw** to place backdoors and steal security keys, leading to full system takeover.
  • **The vulnerability affects on-premises SharePoint Server** 2019, SharePoint Enterprise Server 2016, and SharePoint Server Subscription Edition.
  • **Microsoft advises enabling Antimalware Scan Interface (AMSI)** integration and deploying Defender AV on all SharePoint servers as a temporary fix.
  • **Over 85 SharePoint servers have been compromised** globally, impacting multinational firms and government entities.
  • **Why this matters:** This vulnerability poses a severe threat to organizations using on-premises SharePoint, potentially leading to data theft, lateral movement across networks, and complete system compromise. Immediate action is required to mitigate the risk until a patch is available.

In-Depth Analysis

The CVE-2025-53770 vulnerability stems from SharePoint's deserialization of untrusted data, allowing attackers to execute commands even before authentication. Once inside, they can forge trusted payloads using stolen machine keys to persist and move laterally. This makes detection and response particularly difficult.

Eye Security discovered that attackers are using a stealthy `spinstall0.aspx` file to extract cryptographic secrets from the SharePoint server. These secrets, including the ValidationKey and DecryptionKey, are crucial for generating valid __VIEWSTATE payloads, effectively turning any authenticated SharePoint request into a remote code execution opportunity.

Microsoft recommends that, in the absence of a patch, users should configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. If enabling AMSI is not an option, disconnecting the SharePoint server from the internet is advised.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert, urging organizations with on-premise Microsoft SharePoint servers to take immediate action.

Read source article

FAQ

- **Q: What is CVE-2025-53770?

**

- **Q: Which SharePoint versions are affected?

**

- **Q: What are the recommended mitigations?

**

- **Q: What should organizations do if they suspect a compromise?

**

Takeaways

  • **Immediate Action:** If you use on-premises SharePoint Server, take immediate steps to mitigate CVE-2025-53770.
  • **Enable AMSI and Defender AV:** Configure Antimalware Scan Interface (AMSI) integration and deploy Defender AV on all SharePoint servers.
  • **Monitor for Compromise:** Check server logs for indicators of compromise and follow Microsoft's customer guidance.
  • **Renew Credentials:** If a compromise is detected, isolate affected servers and renew all credentials and system secrets.
  • **Stay Updated:** Keep informed about updates from Microsoft and CISA regarding this vulnerability.

Discussion

Do you think these mitigation steps are sufficient to protect against the exploit until a patch is released? Let us know in the comments below!

Share this article with others who need to stay ahead of this trend!

Sources

Global hack on Microsoft product hits U.S., state agencies, researchers say Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers Microsoft SharePoint servers under attack via zero-day vulnerability with no patch (CVE-2025-53770)

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.

Related Stories

Vulnerabilities / Exploits

7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation

A remote code execution (RCE) vulnerability in 7-Zip, identified as CVE-2025-11001, is actively being exploited in the wild. This flaw allows attackers to execute arbitrary code on affected systems. It is crucial to update 7-Zip to version...

Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)

Security / Mobile Security

Samsung Issues Emergency Security Update for Galaxy Users

Samsung has released an emergency security update for Galaxy smartphones to address a critical zero-day vulnerability actively being exploited in the wild. This vulnerability, CVE-2025-21043, impacts devices running Android 13 and newer. It...

Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks

Cybersecurity / Weekly News

Weekly Cybersecurity Bulletin: Apple Zero-Day, Chrome Vulnerabilities & Cyber Attacks

This week's cybersecurity landscape is marked by critical vulnerabilities and active exploits. From Apple zero-day flaws to Chrome vulnerabilities and escalating cyber attacks, organizations and individuals alike face heightened risks. Stay...

Weekly Cyber Security Bulletin: 11th – 17th August 2025 | Crowe UAE

News / Security

Zero-Day Vulnerability Could Have Compromised Millions of Cursor and Windsurf Users

A zero-day vulnerability discovered in OpenVSX, a critical component in the developer supply chain, threatened to compromise millions of users of AI coding tools like Cursor and Windsurf. The flaw could have allowed attackers to gain full c...

The zero-day that could've compromised every Cursor and Windsurf user

Cybersecurity / Cloud Security

CISA Warns of Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a potential large-scale cyberattack campaign targeting Software-as-a-Service (SaaS) providers. This alert follows a recent breach at Commvault, a da...

CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs