- Home
- Alerts & Advisories
- Alerts
- Critical Vulnerabilities in Microsoft Sharepoint
Alerts
Critical Vulnerabilities in Microsoft Sharepoint
22 July 2025
Microsoft has released security updates addressing zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771). Administrators are advised to update to the latest versions immediately.
Background
Microsoft has released security updates addressing zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) impacting on-premise Sharepoint Servers. SharePoint Online in Microsoft 365 is not affected by the vulnerabilities.
Impact
CVE-2025-53770: Deserialisation of untrusted data in on-premise Microsoft SharePoint Servers could allow a remote attacker to perform remote code execution. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.
CVE-2025-53771: Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint could allow a remote attacker to spoof a legitimate SharePoint workflow using a forged Referer header and bypass authentication.
When the aforementioned vulnerabilities are successfully exploited in sequence, they could allow an attacker to execute remote code in Microsoft SharePoint.
Known Exploitation
Microsoft is aware of active exploitation of these vulnerabilities.
Affected Products
These vulnerabilities affect on-premises installations of:
Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Server 2019
Microsoft SharePoint Server 2016
SharePoint 2010 and 2013 may also be affected by these vulnerabilities.
Mitigation
Administrators are strongly advised to upgrade their on-premise Sharepoint Server with the latest emergency update provided by Microsoft.
For SharePoint servers that do not currently have a patch or are unable to apply them immediately, Microsoft recommends that customers install the latest SharePoint security updates, enable Microsoft AntiMalware Scan Interface (AMSI) integration in SharePoint, and deploy Defender AV on all SharePoint servers.
Known Indicators Of Compromise (IOC)
Indicators associated with SharePoint exploitation activity
Indicator | Description |
107.191.58[.]76 | Exploitation source |
104.238.159[.]149 | Exploitation source |
96.9.125[.]147 | Exploitation source |
139.144.199[.]41 | Exploitation source |
89.46.223[.]88 | Exploitation source |
45.77.155[.]170 | Exploitation source |
95.179.158[.]42 | Exploitation source |
149.40.50[.]15 | Exploitation source |
154.223.19[.]106 | Exploitation source |
185.197.248[.]131 | Exploitation source |
149.40.50[.]15 | Exploitation source |
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx | File created after encoded command run |
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx | File created after encoded command run |
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js | File created after PowerShell command run |
4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030 | .NET module - initial hash observed |
B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70 | .NET module |
FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7 | .NET module - targeting ViewState |
390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E | .NET module |
66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082 | .NET module |
7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95 | .NET module |
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
https://nvd.nist.gov/vuln/detail/CVE-2025-53771