Microsoft has patched two critical zero-day SharePoint security flaws that have already been exploited by hackers to attack vulnerable organizations. Responding to the exploits, the software giant has issued fixes for SharePoint Server Subscription Edition and SharePoint Server 2019 but is still working on a patch for SharePoint Server 2016.
Designated as CVE-2025-53771 and CVE-2025-53770, the two vulnerabilities apply only to on-premises versions of SharePoint, so organizations that run the cloud-based SharePoint Online are unaffected.
Also: How to upgrade an ‘incompatible’ Windows 10 PC to Windows 11 – 2 free options
Rated as important, CVE-2025-53771 is defined as a SharePoint Server spoofing vulnerability, which means that attackers are able to impersonate trusted and legitimate users or resources in a SharePoint environment. Rated as critical, CVE-2025-53770 is defined as a SharePoint Server remote code execution vulnerability. With this type of flaw, hackers can remotely run code in a SharePoint environment.
“CVE-2025-53770 gives a threat actor the ability to remotely execute code, bypassing identity protections (like single sign-on and multi-factor authentication), giving access to content on the SharePoint server including configurations and system files, opening up lateral access across the Windows domain,” Trey Ford, chief information security officer at crowdsourced cybersecurity provider Bugcrowd, told ZDNET.
Together, the two flaws give cybercriminals the ability to install malicious programs that can compromise a SharePoint environment. And that’s just what’s been happening.
Already, hackers have launched attacks against US federal and state agencies, universities, energy companies, and others, state officials and private researchers told The Washington Post. SharePoint servers have been breached within at least two US federal agencies, according to the researchers. One US state official said the attackers had “hijacked” a collection of documents designed to help people understand how their government works, the Post added.
Why did Microsoft allow these security flaws to get so out of hand? The company tried to fix both the server spoofing vulnerability and the remote code execution vulnerability with its July 8 Patch Tuesday updates via CVE-2025-49706, CVE-2025-49704, and CVE-2025-49701. But apparently, the fixes didn’t quite do the trick as savvy hackers were able to sneak their way around them.
Hopefully, this time the new patches will work. In an FAQ, Microsoft said about its cavalcade of CVEs, “Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”
One question is why companies like Microsoft keep exposing their customers to these types of security flaws. One problem lies with the increasing complexity of all the different customer environments.
“Patches are rarely fully comprehensive, and the codebases are both complex, and implementations are highly varied,” Ford said. “This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously, this isn’t possible, so feature development must be tested across an exponentially more complicated surface area.”
Before Microsoft rolled out the new patches on Sunday, security firm Eye Security warned about the SharePoint flaws in a Saturday research post.
Also: Microsoft is saving millions with AI and laying off thousands – where do we go from here?
“On the evening of July 18, 2025, Eye Security was the first in identifying large-scale exploitation of a newSharePoint remote code execution (RCE)vulnerability chain in the wild,” the firm said. “Demonstrated just days ago on X, this exploit is being used to compromise on-premise SharePoint Servers across the world. Before this vulnerability was widely known last Friday, our team scanned 8000+ SharePoint serversworldwide. We discovered dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC.”
Referring to the security flaw as ToolShell, Eye Security explained how SharePoint environments can be compromised through the attacks.
Bypassing security protections, hackers can execute code remotely, thereby gaining access to SharePoint content, system files, and configurations. Attackers can also steal cryptographic keys, allowing them to impersonate users or services, even after the server is patched. Since SharePoint connects to other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move laterally across a network to steal associated passwords and data.
Also: Can’t quit Windows 10? Here’s how to keep getting security updates after October 2025
For organizations that run SharePoint Server, Microsoft has outlined the steps to fix the flaws.
For Microsoft SharePoint Server Subscription Edition, head to this update page to download and install the patch. For Microsoft SharePoint Server 2019, browse to this update page to grab the patch.
To guard against future attacks, Microsoft also offers the following advice:
- Make sure you’re running supported versions of SharePoint Server.
- Apply the latest security patches, including those from the July Patch Tuesday updates.
- Make sure that the Windows Antimalware Scan Interface (AMSI) is enabled and set up properly with an antivirus product such as Defender Antivirus.
- Install security software such as Microsoft Defender for Endpoint.
- Rotate SharePoint Server ASP.NET machine keys.
For now, users of SharePoint 2016 are still vulnerable to the exploit. But Microsoft should provide a patch for this version before too long. Continue to check the company’s page on SharePoint customer guidance for details.
Ford offered further advice to organizations with SharePoint servers.
“When running your own services on prem, ask if they truly need to be internet exposed, or accessible to untrusted parties,” Ford said. “Lowering your attack surface is always wise — minimize the number of hosts and services you have available to public, untrusted users. Hardening, adding the recommended endpoint protections, such as Microsoft’s Antimalware Scan Interface and Defender for these highly integrated services is key.”
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)
