SharePoint Server Under Active Zero-Day Attack (CVE-2025-53770, CVSS 9.8), No Patch Yet!

Microsoft has issued an urgent security advisory for on-premises SharePoint Server customers in response to active exploitation of a critical remote code execution (RCE) vulnerability. The issue—now tracked as CVE-2025-53770 with a CVSS score of 9.8—is being used in the wild by threat actors and presents a serious risk to unpatched systems.

“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706,” the guidance states.

The flaw exists in the way on-premises SharePoint Server handles deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code remotely over a network.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” the advisory explains.

This critical vulnerability does not affect SharePoint Online, as confirmed by Microsoft.

As of now, no security update is available, but Microsoft is actively working on a fix.

“Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. This page will be updated when an update is available.”

In the meantime, Microsoft has provided mitigation steps to help protect systems from exploitation:

• Enable AMSI integration in SharePoint Server.
• Deploy Microsoft Defender Antivirus across all SharePoint servers.
• Disconnect the server from the internet if AMSI cannot be enabled.

“If enabling AMSI is not an option, you should remove access to the internet from the SharePoint server. These two options protect from unauthenticated attacks,” the advisory recommends.

Microsoft Defender Antivirus and Defender for Endpoint can detect post-exploitation activity using several detection names:

• Exploit:Script/SuspSignoutReq.A
• Trojan:Win32/HijackSharePointServer.A

Related alerts in the Microsoft Defender Security Center include:

• Possible web shell installation
• Possible exploitation of SharePoint server vulnerabilities
• Suspicious IIS worker process behavior
• ‘SuspSignoutReq’ malware was blocked on a SharePoint server
• HijackSharePointServer’ malware was blocked on a SharePoint server

Microsoft has also released a KQL (Kusto Query Language) script for advanced hunting. The query searches for the creation of spinstall0.aspx, a telltale sign of successful post-exploitation:

DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

Update

Customers using SharePoint 2016 or 2019 should follow the guidance below.

1. Use or upgrade to supported versions of on-premises Microsoft SharePoint Server

• Supported versions: SharePoint Server 2016, 2019, & SharePoint Subscription Edition

2. Apply the latest security updates

• Latest update: July 2025 Security Update

3. Ensure the Antimalware Scan Interface is turned on and configured correctly

Related Posts:

• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• Microsoft Raises Server Prices: 10% Increase Coming
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
• Microsoft Enhances Exchange and SharePoint Security with AMSI Integration
• SharePoint Shadow: Havoc’s FUD Malware Conceals Cyber Attacks

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy