{"id":5510,"date":"2025-07-21T10:06:09","date_gmt":"2025-07-21T10:06:09","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/21\/microsoft-released-emergency-security-update-to-patch-critical-sharepoint-0-day-vulnerability\/"},"modified":"2025-07-21T10:06:09","modified_gmt":"2025-07-21T10:06:09","slug":"microsoft-released-emergency-security-update-to-patch-critical-sharepoint-0-day-vulnerability","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/21\/microsoft-released-emergency-security-update-to-patch-critical-sharepoint-0-day-vulnerability\/","title":{"rendered":"Microsoft Released Emergency Security Update to Patch Critical SharePoint 0-Day Vulnerability"},"content":{"rendered":"

Microsoft Released Emergency Security Update to Patch Critical SharePoint 0-Day Vulnerability
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting<\/a>.\u00a0<\/p>\n

The vulnerabilities, assigned as CVE-2025-53770 and CVE-2025-53771, pose immediate risks to organizations running SharePoint infrastructure and require immediate remediation.<\/p>\n

Key Takeaways<\/strong>
1. Active zero-day attacks targeting on-premises SharePoint servers via CVE-2025-53770 and CVE-2025-53771.
2. Apply security updates immediately: KB5002768 (Subscription Edition) or KB5002754 (SharePoint 2019).
3. Microsoft Defender is deployed with threat detection and hunting capabilities.<\/pre>\n
Zero-Day Vulnerabilities Under Active Exploitation<\/strong><\/h2>\n
The security flaws specifically target on-premises SharePoint Server installations, while SharePoint Online in Microsoft 365<\/a> remains unaffected.\u00a0<\/p>\n
Microsoft\u2019s Security Response Center confirmed that threat actors are actively exploiting these vulnerabilities, which were only partially addressed in the initial July 2025 Security Update.\u00a0<\/p>\n
The vulnerabilities enable attackers to achieve remote code execution and potentially compromise entire SharePoint environments.<\/p>\n
Security researchers have identified that successful exploitation results in the creation of malicious files such as spinstall0.aspx, which serves as an indicator of compromise.\u00a0<\/p>\n
The attack vectors involve sophisticated techniques that bypass traditional security controls, making immediate patching critical for organizational security.<\/p>\n
\n\n\n\n\n
CVE<\/strong><\/td>\nTitle<\/strong><\/td>\nAffected Products<\/strong><\/td>\nSeverity<\/strong><\/td>\n<\/tr>\n
CVE-2025-53770<\/p>\n
CVE-2025-53771<\/td>\n
SharePoint Server Remote Code Execution Vulnerability<\/td>\nSharePoint Server 2016, 2019, Subscription Edition<\/td>\nCritical<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Security Updates<\/strong><\/h2>\n
Microsoft has released<\/a> comprehensive security updates to address these vulnerabilities. For SharePoint Server Subscription Edition, organizations must apply security update KB5002768, while SharePoint Server 2019 requires KB5002754.\u00a0<\/p>\n
SharePoint 2016 updates are still in development, leaving these systems temporarily vulnerable.<\/p>\n
The company recommends implementing multiple defensive layers immediately. Organizations must enable the Antimalware Scan Interface (AMSI) in Full Mode, which provides critical protection against unauthenticated attacks.\u00a0<\/p>\n
Additionally, deploying Microsoft Defender Antivirus on all SharePoint servers creates an essential security barrier.<\/p>\n
A crucial post-patching step involves rotating SharePoint Server ASP.NET machine keys using either the Update-SPMachineKey PowerShell cmdlet or the Central Administration interface.\u00a0<\/p>\n
After key rotation, administrators must restart IIS using iisreset.exe on all SharePoint servers to complete the remediation process.<\/p>\n
Microsoft has deployed multiple detection mechanisms through its security ecosystem. Microsoft Defender<\/a> Antivirus now identifies threats under detection names Exploit:Script\/SuspSignoutReq.A and Trojan:Win32\/HijackSharePointServer.A.\u00a0<\/p>\n
These signatures provide real-time protection against known exploitation attempts.<\/p>\n
Microsoft Defender for Endpoint generates specific alerts, including \u201cPossible web shell installation,\u201d \u201cSuspicious IIS worker process behavior,\u201d and \u201cSuspSignoutReq malware was blocked on a SharePoint server\u201d.\u00a0<\/p>\n
Security teams can leverage advanced hunting queries to identify potential compromise indicators across their environment.<\/p>\n
Organizations can utilize Microsoft Defender Vulnerability Management to assess exposure levels by filtering for the specific CVE identifiers<\/a> in the Software vulnerabilities section.\u00a0<\/p>\n
The unified advanced hunting query DeviceTvmSoftwareVulnerabilities | where CveId in (\u201cCVE-2025-49706\u2033,\u201dCVE-2025-53770\u201d) enables comprehensive vulnerability tracking across enterprise environments.<\/p>\n
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a>\u00a0<\/strong><\/p>\n
The post Microsoft Released Emergency Security Update to Patch Critical SharePoint 0-Day Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Microsoft Released Emergency Security Update to Patch Critical SharePoint 0-Day Vulnerability Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting.\u00a0 The vulnerabilities, assigned as CVE-2025-53770 and CVE-2025-53771, pose immediate risks to organizations running SharePoint infrastructure and require immediate remediation. Key Takeaways1. Active zero-day attacks […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158],"tags":[130],"class_list":["post-5510","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5510"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5510"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5510\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}