Microsoft has confirmed an active and ongoing zero-day attack targeting on-premises SharePoint servers via a newly identified vulnerability, CVE-2025-53770. Despite recent patches to a related flaw, this variant remains unpatched, exposing organizations worldwide to significant risk.
Body:
What Happened?
On July 19, 2025, Microsoft publicly acknowledged that attackers are actively exploiting a critical zero-day vulnerability in SharePoint Server, a variant of the recently patched CVE-2025-49706. This new flaw, CVE-2025-53770, allows unauthenticated remote code execution.
How Is the Attack Conducted?
Attackers leverage this vulnerability to deploy a stealthy backdoor—a malicious ASPX file called spinstall0.aspx—which extracts SharePoint’s cryptographic keys. These keys enable forged requests mimicking legitimate authentication, allowing attackers to gain persistent server control.
Where and Who Is Affected?
The attacks target on-premises SharePoint Server 2016, 2019, and Subscription Edition, affecting dozens of organizations globally, especially across Europe. Crucially, SharePoint Online (Microsoft 365) remains unaffected.
Microsoft's Response and Interim Measures
Currently, no official patch is available. Microsoft urges customers to enable Antimalware Scan Interface (AMSI) integration and deploy Microsoft Defender Antivirus on SharePoint servers. If AMSI cannot be enabled, disconnecting SharePoint servers from internet access is strongly advised.
Conclusion:
This unfolding crisis underscores the urgent threat posed by sophisticated zero-day exploits targeting critical collaboration infrastructure. Organizations with on-premises SharePoint must act immediately on Microsoft’s mitigation advice while monitoring for updates on a forthcoming security patch.
Credible Attribution:
Information verified by Microsoft security advisories and analysis from leading cybersecurity firms Eye Security and CISA.