Customer guidance for SharePoint vulnerability CVE-2025-53770

Summary

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.

SharePoint Online in Microsoft 365 is not impacted.

A patch is currently not available for this vulnerability. Mitigations and detections are provided below.

Our team is actively working to release a security update and will provide additional details as they are available.

How to protect your environment

To protect your on-premises SharePoint Server environment, we recommend customers configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability.

AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For more details on how to enable AMSI integration, see here.

If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available.

We also recommend you deploy Defender for Endpoint to detect and block post-exploit activity.

We will continue to provide updates and additional guidance for our customers as they become available.

Microsoft Defender Detections and Protections****Microsoft Defender Antivirus

Microsoft Defender Antivirus provides detection and protection against components and behaviors related to this threat under the detection name:

• Exploit:Script/SuspSignoutReq.A

• Trojan:Win32/HijackSharePointServer.A

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint provides customers with alerts that may indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity. The following alert titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

• Possible web shell installation
• Possible exploitation of SharePoint server vulnerabilities
• Suspicious IIS worker process behavior
• ‘SuspSignoutReq’ malware was blocked on a SharePoint server
• HijackSharePointServer’ malware was blocked on a SharePoint server

**Advanced hunting **

NOTE: The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential related indicators for more than a week, go to the Advanced Hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.

To locate possible exploitation activity, run the following queries in Microsoft 365 security center.

Successful exploitation via file creation (requires Microsoft 365 Defender)

Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Run query in the Microsoft 365 Defender

DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc