SharePoint Vulnerabilities: What you need to know
Disrupting Active Exploitation of On-Premises SharePoint Vulnerabilities: What You Need to Know
On July 19, 2025, the Microsoft Security Response Center (MSRC) confirmed widespread, active attacks targeting on-premises SharePoint servers. Cybercriminals are exploiting newly disclosed vulnerabilities, notably CVE-2025-53770 and CVE-2025-53771, resulting in significant risk for organizations maintaining outdated or unpatched environments135.
How the Attacks Unfold
Threat actors are leveraging an authentication bypass and remote code execution exploit through specially crafted POST requests to the SharePoint ToolPane endpoint. Upon breaching a server, they typically deploy a malicious web shell (for example, spinstall0.aspx or variants like spinstall1.aspx), which executes commands to exfiltrate sensitive MachineKey data. This critical information can then be used for ongoing, undetected persistence and lateral movement across the victim’s network15. Attackers have demonstrated the ability to bypass advanced identity controls—including MFA and SSO—and even deploy ransomware on compromised systems457.
Immediate Indicators and Threat Hunting Guidance
Microsoft published detailed Indicators of Compromise (IOCs) for rapid detection, including advanced hunting queries to identify suspicious file uploads and web shell presence. Security teams are strongly encouraged to monitor for evidence of spinstall0.aspx and related artifacts within server logs and conduct thorough incident response if detected137.
Critical Mitigation Measures
To reduce exposure and prevent compromise, Microsoft advises the following steps:
-
Apply the Latest Security Updates Immediately: Protection against these vulnerabilities is included in the most recent patches for supported SharePoint versions—2016, 2019, and SharePoint Subscription Edition136.
-
Enable AMSI and Antimalware Protection: Ensure the Antimalware Scan Interface (AMSI) is active and deploy Microsoft Defender Antivirus on all SharePoint servers. AMSI integration, enabled by default in post-September 2023 releases, blocks unauthenticated exploitation attempts13.
-
Rotate Machine Keys and Restart IIS: After patching, securely rotate ASP.NET machine keys and restart Internet Information Services (IIS) on all affected servers to invalidate stolen credentials and session material357.
-
Reduce Attack Surface: If AMSI cannot be enabled, consider disconnecting servers from the internet or restricting access via VPN or authentication gateways until all mitigations are in place13.
-
Monitor for Persistence and Engage Incident Response: Recognize that simple patching does not guarantee full eviction of adversaries due to machine key and session token theft; perform post-incident compromise assessments and cryptographic rotation57.
Why This Matters
SharePoint on-premises is often deeply integrated with broader enterprise systems (like Office, Teams, and OneDrive), meaning a single compromise can rapidly escalate into organization-wide risk, data loss, and business disruption. Early July saw hundreds of organizations breached, prompting urgent advisories from Microsoft, the UK NCSC, and US CISA48.
What To Do Summary
Is your on-premises SharePoint server fully protected?
Don’t wait—review your defences now.
Update all SharePoint servers with the latest security patches.
Enable Antimalware Scan Interface (AMSI) and deploy Microsoft Defender Antivirus.
Rotate your Machine Keys and restart IIS to disrupt attacker persistence.
Actively hunt for threats using the latest indicators of compromise.
For step-by-step instructions and expert guidance, visit Microsoft Security Blog or contact your security team today.
Stay ahead of evolving threats—secure your data, protect your business, and spread the word by sharing this article with your IT and cybersecurity colleagues.
Conclusion
Immediate action is required. Organizations relying on on-premises SharePoint should update their servers, activate AMSI defenses, rotate machine keys, and undertake proactive threat hunting. Given the sophistication and ongoing evolution of attack campaigns, staying current with Microsoft's official guidance and engaging cybersecurity expertise are essential for defending critical business data and maintaining operational resilience137.
Microsoft has reported active exploitation of critical vulnerabilities in on-premises SharePoint servers, leading to unauthorized access, remote code execution, and persistent compromise by threat actors137. The main vulnerabilities targeted include CVE-2025-53770 and CVE-2025-53771, often exploited by sending crafted POST requests to upload malicious web shells such as spinstall0.aspx, enabling attackers to steal machine key data for further attacks1357. Customers are urged to apply immediate security updates, enable Antimalware Scan Interface (AMSI) integration, deploy Microsoft Defender Antivirus, and rotate ASP.NET machine keys to fully mitigate these risks1367.
[Source: Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog]2
- https://www.microsoft.com/en-us/security/blog/2
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://www.ncsc.gov.uk/news/active-exploitation-of-vulnerability-affecting-microsoft-office-sharepoint-server-products-in-the-uk
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
- https://www.trellix.com/blogs/research/critical-sharepoint-vulnerabilities-under-active-exploitation/
- https://riskledger.com/resources/sharepoint-vulnerabilities
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.cybersecurity-review.com/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Comments
Post a Comment