Microsoft Patches Critical SharePoint Vulnerabilities Amid Active Attacks
Microsoft has patched a critical SharePoint vulnerability (CVE-2025-53770) and disclosed a new one (CVE-2025-53771), warning users of ongoing attacks on on-premises servers. The first flaw, a deserialization issue, allows attackers to run commands without authentication, using stolen keys to persist and move laterally.
The vulnerability, affecting only on-prem SharePoint servers and not SharePoint Online in Microsoft 365, is being actively exploited in the wild. Microsoft states that the flaw allows unauthorized attackers to execute code over a network by abusing object deserialization. The second patched flaw, CVE-2025-53771, is a spoofing issue caused by improper path restrictions, which can be chained with CVE-2025-53770 for remote code execution.
Microsoft recommends enabling AMSI integration and deploying Microsoft Defender across all SharePoint Server farms to protect against the newly identified vulnerability. It's a variant of a spoofing flaw (CVE-2025-49706) addressed in July 2025 Patch Tuesday updates. Security firms like Eye Security and Palo Alto Networks have warned of attacks combining two SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a chain called 'ToolShell'.
Microsoft urges on-prem SharePoint users to apply the latest security updates and follow recommended mitigations to protect against these active threats. The patched flaws highlight the importance of keeping systems up-to-date and implementing robust security measures.
