Microsoft addresses vulnerabilities in SharePoint 2019 and Server Enterprise Edition, following reported attacks.
In a recent development, Microsoft has advised administrators to take immediate action to secure their SharePoint Servers, which are affected by the zero-day vulnerabilities CVE-2025-53770 and CVE-2025-53771.
As of now, the patches for SharePoint Server 2016 are yet to be released, and Microsoft is actively working on updates. In the meantime, it is crucial to monitor the company's website for the upcoming release and apply it as soon as it becomes available.
To enhance security, it is recommended to use supported configurations of SharePoint and ensure that the Anti-malware Scan Interface (AMSI) is turned on and configured correctly with an appropriate antivirus solution like Defender Antivirus. Additionally, Microsoft Defender for Endpoint or equivalent threat solutions should be deployed to further protect the servers.
Another crucial step is to rotate the SharePoint Server ASP.NET machine keys twice—once before triage and again after patching—to invalidate any stolen keys that could be used for remote code execution attacks.
Administrators should also be vigilant and check IIS logs for suspicious requests and unexpected .aspx uploads. Suspected hosts should be isolated via Microsoft Defender for Endpoint, and memory plus SharePoint ULS logs should be collected for further analysis.
To reduce public exposure, it is advised to temporarily remove public exposure by tunneling Web Front Ends behind VPN/ZTNA or blocking TCP 80/443 externally. It is also essential to ensure all other software and systems are up to date to prevent cascading vulnerabilities.
SharePoint Online is not affected by these vulnerabilities. Microsoft is releasing out-of-band security updates for SharePoint Server 2019 and SharePoint Server Subscription Edition due to ongoing attacks on vulnerable versions.
Michael Sikorski, head of threat intelligence for Unit 42 at Palo Alto Networks, stated that if SharePoint on-prem is exposed to the internet, it's assumed to have been compromised.
The security updates address CVE-2025-53770, a remote code execution vulnerability, and CVE-2025-53771, a path traversal vulnerability. However, it is important to note that installing patches may not necessarily solve the problem, and it's advised to rotate SharePoint Server ASP.NET machine keys as well.
Microsoft has advised that if AMSI cannot be enabled, the server should be disconnected from the internet until a security update is available. Administrators of on-premises SharePoint Server 2019 and SharePoint Server Subscription Edition are advised to apply the fixes immediately.
It is essential to stay informed and continuously monitor Microsoft Security Response Center (MSRC) advisories for updates and further instructions. The discovery of these zero-day vulnerabilities underscores the importance of maintaining robust security measures for all systems, especially those that are interconnected like SharePoint.
- Given the current situation, administrators should keep a close eye on Microsoft's website for the release of patches for SharePoint Server 2016, as they are yet to be released, and the company is working actively on updates.
- To boost security, administrators are recommended to employ supported configurations of SharePoint, ensure that the Anti-malware Scan Interface (AMSI) is activated and correctly configured with a reliable antivirus solution like Defender Antivirus, and deploy Microsoft Defender for Endpoint or an equivalent threat solution to fortify servers.
- A crucial step in the process is to rotate the SharePoint Server ASP.NET machine keys twice—once before triage and again after patching—to invalidate any stolen keys that could be used for remote code execution attacks.
- To minimize risks, administrators can temporarily remove public exposure by tunneling Web Front Ends behind VPN/ZTNA or blocking TCP 80/443 externally. It is equally important to ensure that all other data-and-cloud-computing software and systems are up to date to avert cascading vulnerabilities.
