Microsoft on Sunday announced security patches for an active โzero-day,โ targeting the companyโs critical on-premises SharePoint servers used by agencies, government, universities, and businesses globally.
The zero-day attack is identified as CVE-2025-53770 with a CVSS score of 9.8, a variant of CVE-2025-4970 (CVSS score: 8.8). It mainly allows attackers to perform remote code execution and spoofing by exploiting the flaws and incorrect path limitations within the SharePoint server.
Because it targeted an undiscovered vulnerability, the breach is referred to as a "zero-day" attack. Around tens of thousands of servers were in danger due to this.
The alert was issued on Sunday, in which Microsoft stated that the vulnerabilities are only applicable to SharePoint servers within the organization. Additionally, they said that SharePoint Online, hosted in a cloud environment within Microsoft 365, remains unaffected.
โAnybody whoโs got a hosted SharePoint server has got a problem,โ the senior VP of cybersecurity firm CrowdStrike, Adam Meyer,ย stated. โItโs a significant vulnerability,โ he added.
Currently, the FBI, CISA, and internal partners are working closely with Palo Alto Networks Unit 42 to investigate these breaches, describing it as a high-impact, ongoing threat campaign.
Steps to Mitigate the Microsoft SharePoint Vulnerability
The following are some of the steps customers can take to mitigate the potential attacks:
- Rotate the SharePoint ASP.NET machine keys.
- Use the latest versions of SharePoint servers (SharePoint Server 2016, 2019, and SharePoint Subscription Edition)
- Install Microsoft Defender or similar threat management software for endpoint security.
Hereโs what the attackers are putting in place:
They are primarily bypassing MFA and SSO to gain privileged access for stealing sensitive data, cryptographic keys, and more. Over the past five months, they have compromised a minimum of 54 entities, including banks, government agencies, and other organizations.
Having access to SharePoint is challenging, as it grants control over Microsoft Teams and Outlook, thereby putting the companyโs sensitive data at risk.
How Are Organizations Alerted?
If you are on a SharePoint server, consider the possibility of being compromised by this attack. However, patching is not the only solution if breaches have occurred within the past 72 hours. Organizations are made aware of the attack, categorizing it as a high-priority, high-risk vulnerability. They must apply security patches and take necessary actions accordingly.
According to a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), CVE-2025-53770 is being actively exploited to allow arbitrary code execution over the network and unauthenticated access to SharePoint servers.
The attack has affected organizations in the U.S., Canada, Australia, and Europe, reportedly breaching at least two U.S. federal agencies. Indeed, this is another hit to Microsoftโs credibility in the cybersecurity industry. Last year, its negligence allowed Chinese hackers to breach US government emails.
That being said, itโs now time for Microsoft to place a significant focus on its security posture and avoid introducing new vulnerabilities going forward.
To stay tuned with all the news around the cybersecurity landscape, click here.
Also Read: Google Chrome Zero Day Vulnerability: All You Need to Know About
