A critical security vulnerability in Microsoft SharePoint Server is currently being exploited in a large-scale attack campaign. The flaw, identified as CVE-2025-53770 and given a high CVSS score of 9.8, allows unauthorized attackers to execute code remotely on affected systems. This vulnerability is a variant of CVE-2025-49706, a spoofing bug that was recently patched by Microsoft.
Microsoft disclosed the details of the zero-day vulnerability in an advisory issued on July 19, 2025, revealing that the flaw arises from a deserialization issue in on-premises SharePoint Server. According to Microsoft, the malicious exploitation facilitates command execution over the network even before a user is authenticated. Viettel Cyber Security, having reported the flaw through Trend Micro’s Zero Day Initiative (ZDI), has been credited for its discovery.
Despite Microsoft urging its customers to take immediate action by configuring Antimalware Scan Interface (AMSI) integration, the absence of an official patch has raised concerns. Customers are advised to disconnect their SharePoint Servers from the internet or ensure deployment of Defender for Endpoint to mitigate risks associated with this flaw. Microsoft confirmed that SharePoint Online is not impacted by this vulnerability.
In a related warning, cybersecurity firms Eye Security and Palo Alto Networks Unit 42 revealed that attackers are chaining exploits from additional vulnerabilities within SharePoint, namely CVE-2025-49704 (scored 8.8) and CVE-2025-49706 to facilitate arbitrary command execution on vulnerable instances. The ongoing exploitation has already compromised over 85 SharePoint servers globally across various sectors, necessitating urgent protective measures for organizations using affected systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a statement acknowledging the active exploitation of CVE-2025-53770 and is collaborating closely with Microsoft to notify potentially impacted organizations regarding recommended mitigations. This incident underscores the importance of operational collaboration in securing national security against emerging cyber threats.