The newly revealed CVE-2025-53770 vulnerability affects SharePoint Server. And a malicious actor has already used it. Microsoft strongly advises prompt patching.

Actively Exploited Critical RCE Vulnerability in SharePoint

Microsoft released an out-of-band patch for a critical remote code execution (RCE) vulnerability in SharePoint Server. It indicates that someone is actively exploiting the bug in the wild. With CVE-2025-53770 tracking number and a 9.8 CVSS score. The bug impacts SharePoint Server 2016, 2019, and Subscription Edition. The bug enables unauthenticated attackers to remotely run arbitrary code on affected servers. Making it one of the most critical SharePoint-related security issues in recent years.

Microsoft revealed the vulnerability on July 20 in the following July Patch Tuesday. They confirmed that it was under active exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) subsequently included the vulnerability in its known Exploited Vulnerabilities (KEV) list. This has the effect of compelling federal agencies to patch up by July 21, 2025.

Strategic Role of SharePoint in Enterprise IT

SharePoint continues to be an integral collaboration platform for government, enterprise, and educational organizations. Although Microsoft 365 includes SharePoint Online as a cloud-based solution.; Most organizations stick with the on-premises SharePoint Server. They do this to host safe intranet portals, manage workflows, and keep sensitive documents behind their firewalls.

SharePoint is likely to be a desirable target for attackers. Due to its prevalent use across identity infrastructure, such as Active Directory, and on business-critical workloads. A vulnerability such as CVE-2025-53770, especially one with the ability to execute code remotely without having to sign in, is of high risk on enterprise configurations where SharePoint is exposed outside. 

Technical Details of CVE-2025-53770 by Microsoft

The vulnerability is due to insecure deserialization of Microsoft SharePoint Server. A remote attacker can use the vulnerability to send specially crafted requests. This led to arbitrary code execution on the system in question. Since attackers do not need authentication to make the exploit practical, they can target publicly facing SharePoint instances with default settings.

Aside from CVE-2025-53770, Microsoft also published a second vulnerability. CVE-2025-53771, which allows spoofing through path traversal. Security experts say that attackers can use the two vulnerabilities together to bypass controls and gain wider access in SharePoint-hosting environments.

According to Microsoft’s advisory, the vulnerability does not impact SharePoint Online subscribers, since the cloud service uses a different architecture and patching cycle.

Threat Actors Actively Exploiting the Vulnerability

There are reports from Eye Security and Palo Alto Networks Unit 42 that cyber attackers first exploited CVE-2025-53770 on July 10. The attackers employed the flaw in the above campaigns to deliver ToolShell. This implant malware offers persistent access and remote command execution capabilities through compromised environments.

Someone once linked targeted surveillance operations to ToolShell. Researchers estimate that the new campaign targets business SharePoint infrastructures, with an increase in poor patch management practices. Victims so far cut across various sectors such as education, health, and finance, most of whom have out-of-date or misconfigured SharePoint Server deployments.

CISA’s rapid addition of the vulnerability to its KEV list reflects the severity and urgency of the threat. Authorities are instructing enterprises and agencies to remediate first and to presume compromise in unpatched systems.

Enterprise Risk Escalates Amid Exploit Chains

The capability to combine spoofing of requests and unauthenticated remote code execution renders this vulnerability particularly sinister in hybrid or standalone IT environments. Experts caution that an attacker who gains access to a SharePoint Server can potentially leverage elevation of privileges, lateral movement into adjacent systems, and exfiltrate sensitive information without detection in the immediate future.

Threat model teams are treating this attack as a high-end threat because they significantly utilize SharePoint as a middle-tier platform for automated business processes and approval workflows. Attackers, in certain instances, have utilized hijacked SharePoint infrastructure to alter internal documents or reset user permissions, thereby increasing the blast radius further.

Microsoft’s Response and Patch Guidance

Microsoft released patches for affected SharePoint Server versions on July 20. Security administrators need to install the patches at their earliest convenience. The company also suggests restarting Internet Information Services (IIS) after patch installation to enable mitigation.

Other remediation recommendations are to check machine key values for tampering. And make sure Antimalware Scan Interface (AMSI) protection is turned on to catch malicious deserialization attacks during runtime. Administrators also need to check external access policies to determine if external parties inappropriately expose SharePoint endpoints to the public internet.

Managed detection and response (MDR) services request organisations to update detection rules with compromise indicators of Eye Security and Unit 42.

Security Community and Vendor Views

They responsibly disclosed the vulnerability to Microsoft. The Eye Security cybersecurity researchers and the Microsoft Threat Intelligence team did it. Palo Alto Networks then released a technical report that analyzes the ToolShell malware currently utilizing in campaigns.

Security engineers have drawn a parallel. This connects the deserialization vulnerability and previous attacks against Java-based middleware, and emphasizes how easily attackers exploit it. Unit 42 has also issued advisories to customers to be on the lookout for unusual behavior. Quarantine affected servers and remove SharePoint application pools until you can conduct a forensic analysis.

Researchers also highlighted how weakness in deserialization continues to be hard to find using conventional perimeter controls. Particularly when targeted through the avenue of tool utilization, like ToolShell, mimicking normal administrative traffic.

Strategic Considerations for Security Leaders

The incident serves as an eye-opener to reassess the overall risks of outdated on-premises platforms. For the security teams in the enterprise and the CISO. SharePoint Server remains employed within high-trust environments but is frequently behind current security controls available in cloud-native solutions.

We recommend that security administrators patch CVE-2025-53770 as soon as possible. And, once again, consider long-term plans for segmenting, hardening, or upgrading on-premises instances of SharePoint. As exploitation continues unabated, the incident response teams must continue to watch for post-exploitation activity. That could be in specific lateral movement, credential exfiltration, and the execution of signed binaries for malware staging.

The overall message is unmistakable. Security blind spots in pivotal middleware such as SharePoint can rapidly form areas of systemic susceptibility. If not addressed at the highest priority and with continuous attention.

To participate in upcoming interviews, please reach out to our CyberTech Media Room at sudipto@intentamplify.com.