A critical, newly disclosed, and actively exploited vulnerability, CVE-2025-53770, affects all self-hosted / on-premises Microsoft SharePoint Server versions. This critical issue does not impact SharePoint Online (Microsoft 365).
The exploit enables attackers to:
- Bypass authentication
- Install persistent backdoors
- Launch ransomware
- Steal sensitive data
Immediate Steps to Take:
- Patch all on-premises SharePoint servers immediately following Microsoft guidance
- Disconnect unpatched servers from the Internet immediately
- For versions older than SharePoint 2016:
- Block external access now
- Plan and execute an upgrade to a supported, patched version urgently
- Even servers only accessible internally must be patched due to the ease and severity of the exploitation.
Note: If you suspect an attack has occurred and/or been successful, any suspected compromised machine must be isolated immediately, including shutting it down.
It is also recommended to isolate those instances using zero-trust practices to prevent lateral movement of any malware already present in the system.
This vulnerability is being weaponized in the wild and poses a significant risk to data integrity and network security.
CVE Reference: CVE-2025-53770
Be aware that there may be additional vulnerabilities connected to this incident, including CVE-2025-53771, which is related to path traversal in Microsoft Office SharePoint and is currently awaiting analysis as of this publication date.
We highly recommend following and subscribing to the CISA Cybersecurity Alerts & Advisories for the latest updates.
Additional Sources:
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
Need Help?
If you need assistance evaluating your systems or applying patches, contact us right away.
Thank you,
Command Prompt Team