Hackers Renew Attacks on Microsoft SharePoint Using Critical Zero-Day Exploits, Affecting Over 85 Servers
In a recent development, Microsoft SharePoint is under active attack with two new zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, being exploited. These vulnerabilities have compromised at least 85 on-premise SharePoint servers worldwide since 18 July.
To mitigate the risk before patches become available, administrators of SharePoint servers should take immediate action. Here are the critical steps recommended:
- Enable and Properly Configure AMSI: Admins are urged to enable the Antimalware Scan Interface (AMSI) integration within SharePoint and install Microsoft Defender Antivirus on all SharePoint servers. AMSI integration was enabled by default in recent updates but should be confirmed to be active and in Full Mode for optimal protection against exploitation attempts.
- Rotate ASP.NET Machine Keys: Rotate the ASP.NET machine keys twice — once before applying the security update and again afterwards — to invalidate any potentially compromised cryptographic keys or sessions created by attackers. This can be done either via PowerShell using the cmdlet or through SharePoint's Central Administration interface by running the "Machine Key Rotation" job and then restarting IIS across all servers.
- Internet Disconnection: If enabling AMSI is not possible, administrators are advised to disconnect SharePoint servers exposed to the public internet to prevent remote attacks until official patches or mitigations are applied. Alternatively, restrict unauthenticated access via VPNs, proxies, or authentication gateways.
- Investigate Systems: Conduct thorough investigation and cleanup of compromised systems, including the presence of malicious files such as .dll payloads and web shells. Remove any discovered malicious artefacts and restart the IIS service to clear persistence mechanisms.
- Apply Patches: Once available, apply the released security updates from Microsoft immediately to fully remediate the vulnerabilities. As of now, a patch for SharePoint Server 2016 is not available yet. However, Microsoft has released security patches for SharePoint Server Subscription Edition and SharePoint Server 2019.
- Additional Measures: Follow additional organisational and cloud service security guidance such as BOD 22-01 for cloud environments or consider discontinuing use of vulnerable products if mitigations are unavailable.
Forensic investigation and ongoing monitoring are essential until the threat is fully mitigated. Microsoft has provided guidance on what to look for to help organisations identify whether their servers have already been compromised. For instance, the presence of the file in the SharePoint layouts directory can be a sign of a breach.
In the meantime, Microsoft 365 Defender can be used with a specific query to check for evidence of the malicious file being created or accessed. The specific query can be found in a blog post on Microsoft's website.
It's important to note that these vulnerabilities apply only to on-premises SharePoint Servers, not SharePoint Online in Microsoft 365. Rotating machine keys can help prevent attackers from using stolen credentials to exploit compromised servers. Microsoft has released an update (KB5002768) for SharePoint Subscription Edition, but security updates for the older editions are still in progress.
Stay vigilant and secure your SharePoint servers promptly to minimise the risk of a breach.
- To strengthen the cybersecurity measures of SharePoint servers, administrators should enable AMSI integration and install Microsoft Defender Antivirus, as it offers optimal protection against exploitation attempts.
- Utilizing technology like Microsoft 365 Defender, administrators can apply specific queries to check for evidence of malicious files being created or accessed, helping to identify compromised servers and mitigate potential threats promptly.
