Microsoft releases urgent SharePoint security flaw patches - here's what you need to know, and how to update

News
By published

Patches for a critical severity SharePoint bug are now available

Cyber-security
(Image credit: Getty Images)
  • While fixing exploited flaws, Microsoft may have also introduced new bugs
  • The issues affected multiple SharePoint on-prem variants
  • Hackers are already exploiting them in the wild, so users should patch now

Microsoft has released an urgent patch to fix a zero-day vulnerability affecting on-premises SharePoint servers.

The vulnerability is already being exploited in the wild, which is why users are urged to apply the patch immediately and secure their assets.

Three Microsoft products were said to be affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. SharePoint Online (Microsoft 365) is not affected.

How to secure your endpoints

The vulnerability being addressed is described as a deserialization of untrusted data in on-premises Microsoft SharePoint Server, which allows an unauthorized attacker to execute code over a network. It is tracked as CVE-2025-53770, and carries a severity score of 9.8/10 (critical).

“Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild,” the National Vulnerability Database (NVD) said in its advisory.

To secure the endpoints, Microsoft recommends applying the July 2025 security updates immediately, as well as enabling Antimalware Scan Interface (AMSI) for SharePoint and making sure Defender Antivirus is deployed.

After patching, or enabling AMSI, users should rotate their ASP.NET machine keys, deploy Microsoft Defender for Endpoint to detect post-exploitation activity, or upgrade to supported SharePoint versions, if needed.

The vulnerability was actually introduced while fixing a pair of bugs that were also being exploited in the wild. Tracked as CVE-2025-49706 and CVE-2025-49704, these two were fixed in July, but introduced two new flaws - CVE-2025-53770, and CVE-2025-53771, a 6.3/10 (medium) path traversal bug that allows spoofing over a network.

The new bugs were quickly spotted by threat actors, and abused in attacks since July 18, with at least 85 organizations apparently being hit, including several multi-nationals and government entities, such as a private university and a private energy operator in California, a federal government health organization, and a private fintech firm in New York.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.