Microsoft Warns of Active Exploitation of Critical SharePoint Vulnerability
Microsoft has announced a critical security vulnerability, CVE-2025-53770, affecting on-premises SharePoint servers. The flaw allows attackers to run commands without authentication, persist, and move laterally. Microsoft warns of active exploitation and recommends immediate action.
The vulnerability, a deserialization of untrusted data, was first identified as a variant of CVE-2025-49706, patched in July. It allows unauthorized attackers to execute code remotely. Security researchers from Eye Security and Palo Alto Networks have warned of attacks combining this flaw with CVE-2025-49704, dubbed 'ToolShell'.
Microsoft has confirmed that SharePoint Online in Microsoft 365 is not affected. They are preparing a comprehensive update to fix CVE-2025-53770, released in September. In the meantime, Microsoft recommends enabling AMSI integration and deploying Microsoft Defender across all SharePoint Server farms to mitigate risks.
The SharePoint security vulnerability, CVE-2025-53770, poses a significant threat to on-premises servers. With active exploitation reported, Microsoft urges users to apply the September update promptly and follow recommended security measures. Affected users should stay vigilant and monitor their systems for any suspicious activity.
