Navigating the Threat of the New Zero-Day Vulnerability in Microsoft SharePoint: Expert Insights and Recommendations

Everything began on July 18, when experts from Eye Security reported a widespread exploitation of a remote code execution vulnerability in Microsoft SharePoint Server — CVE-2025-53770 (rated 9.8 on the CVSS scale) — in conjunction with another vulnerability, CVE-2025-53771, associated with spoofing.

SharePoint is a web application developed by Microsoft, designed for deploying corporate intranet portals, managing documents, and facilitating collaboration. A flaw in the deserialization mechanism allows an attacker to execute arbitrary code remotely without prior authentication. Once the vulnerability is successfully exploited, the attacker can establish a foothold on the SharePoint server, access confidential information, and leverage server access to further compromise the company’s infrastructure.

Microsoft has confirmed that attacks exploiting the new vulnerability are already underway, affecting on-premises versions of SharePoint Server, but not the cloud versions. Over 85 SharePoint servers across various countries have already fallen victim to these attacks, impacting 29 organizations, including multinational corporations and government entities.

🇷🇺 **Is the Russian segment safe?**

No, one in ten enterprise companies in Russia is at risk. Moreover, sometimes SharePoint servers are exposed to the internet, which goes against common security recommendations. The attack surface monitoring and notification system, SKIPA by CyberOK, tracks approximately 1800 SharePoint instances in the Russian segment of the internet, over 20% of which may be vulnerable to attacks utilizing CVE-2025-53770.

🛡 **How can businesses protect themselves?**

Firstly, Microsoft is already addressing the issue. While a full patch is not yet available, on July 19, the company released updates for SharePoint Server 2016, 2019, and SharePoint Subscription Edition. The vendor also recommends configuring integration with the Antimalware Scan Interface (AMSI).

Secondly, our experts have compiled their own recommendations (and even a virtual patch) to assist you. Here’s what you should do to safeguard yourself from hackers:

1. Update Microsoft SharePoint to the latest version.
2. Apply Microsoft’s guidelines for addressing the vulnerability.
3. Isolate the server and refrain from exposing the corporate portal to the global internet.
4. Enable Microsoft Defender and AMSI integration to block malicious web requests from reaching SharePoint endpoints.
5. Monitor log files for suspicious requests.
6. Utilize solutions from Positive Technologies.

For example, in MaxPatrol VM, this trending vulnerability was identified within 12 hours and can now be detected within organizational infrastructure. Reducing the risk of exploitation on endpoint devices can be achieved using MaxPatrol EDR.

PT NAD identifies attempts to exploit this vulnerability, while PT NGFW can block such attempts. Additionally, MaxPatrol SIEM and the MaxPatrol BAD ML module detect post-exploitation anomalous activities within the infrastructure, and SharePoint is no exception in terms of security shortcomings.

Furthermore, the PT Application Firewall team has already developed a virtual patch for the CVE-2025-53770 vulnerability. To obtain it, you may contact technical support.