Organizations running SharePoint on-premises are actively targeted by attackers exploiting a new zero-day vulnerability to breach servers.
Microsoft SharePoint is vulnerable to a zero-day bug, labeled CVE-2025-53770, with a CVSS score of 9.8 out of 10. Hackers are actively exploiting the bug worldwide. SharePoint is used by organizations globally to share information and files via an intranet. Hackers can not only access that information but also steal keys that enable further access within the network.
The vulnerability initially grants unauthenticated attackers access to on-prem SharePoint servers connected to the internet. Hackers can then access all data on SharePoint, including any access tokens that open the door to further systems on the network. Those running SharePoint on-prem should assume a hack has occurred at this point.
Patching and Rotating
Security researchers noticed something was amiss on Friday. Microsoft confirmed the attacks on Saturday. Meanwhile, Microsoft has also released a patch to seal the leak. You can find the updates for Microsoft SharePoint Server Subscription Edition, 2019, and 2019 on this overview page from Microsoft itself.
Furthermore, Microsoft recommends deploying Defender for Endpoint or an equivalent solution to SharePoint servers and activating and configuring the Antimalware Scan Interface (AMSI). Redmond also strongly suggests disconnecting SharePoint servers from the internet until the patch is installed.
Subsequently, it is critical to rotate SharePoint Server ASP.NET keys and restart IIS on all servers. This step follows patching and is necessary to prevent malicious access in future attacks. Simply installing the patch is not enough to keep hackers out if those keys have already been compromised.
Eye Security raised the alarm. In an extensive blog post by the security company, you can find the technical Indicators of Compromise that show if you have fallen victim to an attack.
Those using SharePoint as part of Microsoft 365 within the Microsoft cloud need not worry. These versions of SharePoint are not affected.
On-prem and Exchange Flashback
The zero-day saga follows the same pattern as previous critical vulnerabilities in Microsoft Exchange. Back then, bugs also only affected on-premises installations. In 2021, such a bug caused a global shockwave after a China-linked hacker group attacked hundreds of companies, leaving hundreds of thousands of organizations worldwide vulnerable.
read also
Hackers are Attacking Microsoft SharePoint Worldwide via Zero-Day: Patch Now
The fact that the SharePoint vulnerability again affects on-premises installations exacerbates the problem. It is now up to administrators to take swift and correct action. History shows that the availability of a patch does not always guarantee a quick rollout.