Headline
Microsoft Confirms Hackers Exploiting SharePoint Flaws, Patch Now
Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers…
Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers are already exploiting them in active campaigns.
The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are not present in SharePoint Online, but on-premises environments using SharePoint 2019 and the SharePoint Subscription Edition are directly at risk.
According to Microsoft’s updated guidance, fixes for SharePoint 2019 and Subscription Edition are now available and fully address both vulnerabilities. However, SharePoint 2016 customers are still waiting, as Microsoft says updates for that version are still in development. In the meantime, the company recommends that affected users apply existing patches, enable key protections, and prepare for additional updates.
The two vulnerabilities are dangerous because they allow attackers to execute code and plant web shells on vulnerable servers. Microsoft says these attacks have already been seen in the wild, and one clear sign of compromise is the presence of a suspicious file called spinstall0.aspx. Security analysts recommend checking SharePoint server directories for this file, as it often signals post-exploitation activity.
While fixes are available for some versions, Microsoft emphasises that patching alone is not enough. Customers should also rotate machine keys and restart IIS to fully fix the issue. These steps are particularly important for those running SharePoint Server 2019 and Subscription Edition, where patches are available today.
Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should apply…
— Security Response (@msftsecresponse) July 21, 2025
To protect your system from exploitation, Microsoft is urging organisations to take a layered approach: update immediately, enable the Antimalware Scan Interface (AMSI), rotate machine keys, and deploy endpoint protection.
Microsoft Defender Antivirus and Defender for Endpoint are equipped to detect known behaviour tied to this threat, including specific malware signatures like HijackSharePointServer.A and SuspSignoutReq.A.
The company also recommends deploying Microsoft Defender for Endpoint or a similar threat detection tool, as it provides alerts that could flag exploitation attempts. These might show up in logs as unusual activity in w3wp.exe processes or encoded PowerShell commands tied to web shell deployment.
While Microsoft continues to support 2016 and 2019, older editions like SharePoint 2010 and 2013 are no longer eligible for security updates, exposing your system to further attacks. Therefore, if you’re still using older or unsupported versions of SharePoint, upgrade them to the latest.
Related news
Get to know the real people behind cybersecurity’s front lines. In this week’s newsletter, sci-fi meets reality, humanity powers technology and a few surprises are waiting to be discovered.
Brave browser now blocks Microsoft Recall by default, preventing screenshots and protecting users’ browsing history on Windows 11.
National Nuclear Security Administration and National Institutes of Health targeted in global Microsoft SharePoint vulnerability exploitation. Chinese hacking groups suspected in widespread data breaches.
Microsoft reveals Chinese state-backed hacker groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are exploiting SharePoint flaws, breaching over 100 organisations. Discover threat actors, their tactics and Microsoft's urgent security guidance.
About Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770) vulnerability. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. A flaw in the deserialization mechanism of an on-premises SharePoint Server instance allows remote unauthenticated attackers to execute arbitrary code. 👾 On July 18, Eye Security researchers […]
Hackers are exploiting critical SharePoint flaws (CVE-2025-53770/53771) to breach global targets, including governments and corporations. Microsoft urges immediate action. Learn about the active attacks and how to protect your network from credential theft and backdoors.
Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.
On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the Sharepoint flaw to breach U.S. federal and state agencies, universities, and energy companies.
Summary Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. SharePoint Online in Microsoft 365 is not impacted. A patch is currently not available for this vulnerability. Mitigations and detections are provided below.