Microsoft has issued a warning about a critical zero-day vulnerability in SharePoint, identified as CVE-2025-53770, which is currently being actively exploited. This vulnerability, with a CVSS score of 9.8, involves the deserialization of untrusted data in on-premises Microsoft SharePoint Server. It allows unauthorized attackers to execute code remotely. Discovered by Viettel Cyber Security, the flaw remains unpatched, but Microsoft is working on a comprehensive update. In the interim, users are advised to enable AMSI integration and deploy Microsoft Defender to protect their SharePoint Server environments. The vulnerability is a variant of a previously addressed spoofing flaw, CVE-2025-49706. The exploit allows attackers to execute commands pre-authentication and move laterally using stolen machine keys, complicating detection. Security researchers have observed attacks leveraging both CVE-2025-49706 and another flaw, CVE-2025-49704, in a chain dubbed “ToolShell.” This chain bypasses authentication and enables remote code execution. Eye Security detected large-scale exploitation of this vulnerability chain on July 18, 2025, affecting numerous SharePoint servers globally. They recommend immediate patching and conducting compromise assessments for potentially affected systems.
Is the SharePoint zero-day CVE-2025-53770 being actively exploited?
