Global organizations face attack from a zero-day vulnerability affecting SharePoint systems
In a concerning turn of events, over 75 servers across 29 organizations, including European government agencies, Asian multinational firms, and Brazilian universities, have been attacked. The attacks exploited a zero-day vulnerability in Microsoft's on-premise SharePoint Server, tracked as CVE-2025-53770.
Microsoft has swiftly responded, urging all On-Prem SharePoint users to update immediately. They have released a patch for CVE-2025-53770 and a related flaw (CVE-2025-53771). To secure Microsoft’s on-premise SharePoint Server after the CVE-2025-53770 vulnerability exploit, you should:
1. **Immediately apply the latest security patches** from Microsoft released on July 19-21, 2025. These patches address CVE-2025-53770 (critical remote code execution) and the related vulnerability CVE-2025-53771 with more comprehensive protections than earlier updates.
2. **Enable Antimalware Scan Interface (AMSI) integration** in SharePoint and deploy Defender Antivirus on all SharePoint servers. Microsoft recommends this as a key mitigation to prevent exploitation in environments where patching cannot be done immediately.
3. **Deploy Defender for Endpoint** to detect and block post-exploitation activity, as attackers use this vulnerability to place backdoors and steal cryptographic keys for persistent access.
4. If enabling AMSI or deploying these protections is not feasible, **isolate the SharePoint servers from internet access** to prevent attackers from exploiting this vulnerability remotely.
5. Monitor for indicators of compromise and implement detection rules as advised by security vendors like Rapid7 and Trend Micro, since the vulnerability is actively exploited in the wild and known to be used in sophisticated persistent attacks.
The breach highlights the importance of fast detection, response, and recovery in the face of evolving threats. The vulnerability stems from the way SharePoint was designed to manage data, as it automatically processes incoming data objects without checking their origin or safety. Hackers were able to gain access without needing login credentials and steal cryptographic keys (MachineKeys) that secure data within the servers. Patching alone may not be enough to secure systems affected by the SharePoint vulnerability.
The breach resulted from a deserialization attack, allowing hackers to inject malicious instructions that the system followed blindly. MachineKeys are used to control access and validate users, but when stolen, attackers can forge trusted credentials and remain hidden within a system, even after a patch is applied.
SharePoint is widely used in sensitive environments and often runs older, on-prem setups that are harder to secure. This is not the first persistence-focused attack of this kind; Atlassian's Confluence and Oracle's WebLogic have also been targeted. It is crucial for organizations to prioritise the security of their on-premise SharePoint servers and take proactive measures to protect their data.
In light of the recent cyberattacks, it's essential for organizations to prioritize the security of their on-premise SharePoint servers, particularly in the context of data-and-cloud-computing and cybersecurity, as the breach underscores the need for proactive measures in the face of evolving threats. The attacks highlight the importance of promptly applying security patches, such as those released by Microsoft on July 19-21, 2025, to address vulnerabilities like CVE-2025-53770, as criminals and justice systems worldwide monitor such general-news developments closely.
