Microsoft has warned users of SharePoint Server that three on-prem versions of the product include a zero-day flaw that is under attack – and that its own failure to completely fix past problems is the cause.
In a July 19 security note, the software giant admitted it is “… aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
The attack targets CVE-2025-53770, a flaw rated 9.8/10 on the CVSS scale as it means “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.”
The US Cybersecurity and Infrastructure Security Agency (CISA) advises CVE-2025-53770 is a variant of CVE-2025-49706, a 6.3-rated flaw that Microsoft tried to fix in its most recent patch Tuesday update.
The flaw is present in SharePoint Enterprise Server 2016. SharePoint Server 2019, and SharePoint Server Subscription Edition. At the time of writing, Microsoft has issued a patch for only the latter product.
That patch addresses a different vulnerability – the 6.3-rated path traversal flaw CVE-2025-53771 which mitigates that flaw and the more dangerous CVE-2025-53770. While admins wait for more patches, Microsoft advised them to ensure the Windows Antimalware Scan Interface (AMSI) is enabled and configured correctly, alongside an appropriate antivirus tool. Redmond also wants users to watch for suspicious IIS worker processes, and rotate SharePoint Server ASP.NET machine keys.
CISA has also issued its own warning. “Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025,” it said. “Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.”
Source: Microsoft warns on-prem SharePoint users of a zero-day • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft