On Sunday, Microsoft released a security patch for the security flaws that were actively exploited in SharePoint, releasing details of another vulnerability that it said was addressed with “more robust protection.”
Tech Giant admitted that “we are aware of active attacks targeting on-premises SharePoint Server customers by leveraging vulnerabilities that were partially addressed in the July security update.”
CVE-2025-53770 (CVSS score: 9.8) concerns cases of remote code execution that result from de-collecting data that is not trusted by the on-premises version of Microsoft SharePoint Server, as exploited vulnerabilities are tracked.
A newly disclosed drawback is the defect in SharePoint spoofing (CVE-2025-53771, CVSS score: 6.3). Anonymous researchers are believed to have discovered and reported the bug.
“Inappropriate restriction of pathnames to a restricted directory of Microsoft Office SharePoint PathName (“Path traversal”) allows certified attackers to perform spoofing on the network,” Microsoft said in an advisory released on July 20, 2025.
Microsoft also noted that CVE-2025-53770 and CVE-2025-53771 are related to two other SharePoint vulnerabilities documented by CVE-2025-49704 and CVE-2025-49706. The exploit chain, known as the Toolshell, was patched as part of the company’s July 2025 patch Tuesday update.
“The CVE-2025-53770 update includes more robust protection than the CVE-2025-49704 update,” the Windows maker said. “The CVE-2025-53771 update includes more robust protection than the CVE-2025-49706 update.”
Note that Microsoft previously characterized the CVE-2025-53770 as a variant of CVE-2025-49706. When asked for comment on the inconsistency, a Microsoft spokesperson told Hacker News that “we prioritize updates to customers, while correcting content inaccuracies as needed.”
The company also said that the current published content is correct and that previous inconsistencies would not affect the company’s guidance to customers.
Both identified defects apply only to on-premises SharePoint servers and do not affect SharePoint online in Microsoft 365. The issue is addressed in the following versions (for now).
To mitigate potential attacks, customers will –
Use supported versions of on-premises SharePoint Server (SharePoint Server 2016, 2019, and SharePoint Subscription Edition) Apply the latest security updates Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution such as Defender Antivirus Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions Rotate SharePoint Server ASP.NET machine keys
“It is important for customers to restart the SharePoint Server ASP.NET machine key on all SharePoint servers after applying the latest security updates above or enabling AMSI,” Microsoft said. “If you are unable to enable AMSI, you will need to rotate the key after installing a new security update.”
The development told Hacker News that at least 54 organizations have been breached, including banks, universities and government agencies. The company said that active exploitation began around July 18th.
The US Cybersecurity and Infrastructure Security Agency (CISA) must add CVE-2025-53770 to its known Exploited Vulnerabilities (KEV) catalog and apply the amendments to the Federal Private Enforcement Division (FCEB) agencies by July 21, 2025.
Palo Alto Network Unit 42, which tracks what also refers to as a “highly influential, continuing threat campaign,” including governments, schools, hospitals, healthcare institutions including large businesses, and large businesses, said there is a risk for the time being.
“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42, Palo Alto Networks, told Hacker News. “When they enter, they remove sensitive data, deploy permanent backdoors, steal encryption keys. The attacker has exploited the vulnerability to enter the system and already has a foothold.
“If SharePoint OnPrem is exposed to the Internet, we need to assume that we have compromised at this point. The patches are insufficient to completely remove the patch. What’s particularly concerning about this is the deep integration with Microsoft’s platform.
Cybersecurity vendors categorized it as a highly sensitive and difficult threat, urging organizations running on-premises Microsoft SharePoint servers to instantly and effectively apply the necessary patches, rotate all encrypted materials, and engage in incident response efforts.
“The immediate band-aid fix is to remove Microsoft SharePoint from the Internet until patches are available,” added Sikorski. “False security can lead to long periods of exposure and widespread compromise.”
(This is a developing story. Please check again for more details.)
Source link
