Skip to content
Unveil the Latest GadgetsStrengthen Your Digital Fortress

Hackers Capitalize on Major Microsoft Security Flaw on a Large Scale

Organizations across various sectors rely on self-hosted servers powered by Microsoft's SharePoint for file sharing, but a recently discovered vulnerability has put these servers at risk.

 and  Administrator
3 min read
Cybercriminals are leveraging a significant weakness in Microsoft's security system on a large...
Cybercriminals are leveraging a significant weakness in Microsoft's security system on a large scale

Hackers Capitalize on Major Microsoft Security Flaw on a Large Scale

In a recent development, Microsoft has disclosed a critical, actively exploited remote code execution (RCE) vulnerability (CVE-2025-53770, CVSS 9.8) in on-premises SharePoint Servers, which allows attackers to execute arbitrary code on affected systems, access sensitive data, and potentially pivot within networks [1][2]. Organisations using SharePoint servers must take immediate action to protect their environments.

The vulnerability has already been exploited by attackers, with reports of successful attacks on servers of two federal agencies in the US, according to the Washington Post [3]. Google's Mandiant security firm has advised companies to take immediate risk mitigation measures and assume a compromise, regardless of whether they've been affected or not [4]. The American IT security agency CISA has also urged affected government agencies and companies to act quickly [5].

To protect SharePoint environments, organisations should first apply the latest security updates. For SharePoint Server 2016, apply KB5002744 (build 16.0.5508.1000) [3][4]. For SharePoint Server 2019, apply KB5002741 (build 16.0.10417.20027) [3]. For SharePoint Subscription Edition, ensure you have the July 2025 update for CVE-2025-53771, as the vulnerability is partially addressed in the July 2025 Patch Tuesday updates [1][3]. It is also recommended to only run SharePoint Server 2016, 2019, or Subscription Edition, as unsupported versions lack patches for modern threats [3].

In addition to applying the latest updates, organisations should enable and configure the Antimalware Scan Interface (AMSI). AMSI integration was enabled by default in September 2023 for SharePoint 2016/2019 and is in SharePoint Subscription Edition 23H2 [3]. Ensure AMSI is enabled and configured in Full Mode for maximum protection [3]. Deploy Microsoft Defender on all SharePoint servers, as when AMSI is enabled, Defender can block exploitation attempts by unauthenticated attackers [3].

If immediate patching is not possible, consider isolating your SharePoint servers from the internet to reduce the attack surface [1]. This is a temporary measure and not a substitute for patching.

Organisations should also monitor for indicators of compromise. Attackers use a stealthy file called file spinstall0.aspx to leak cryptographic secrets (MachineKey configuration), which can enable further remote code execution [2]. Monitor for unexpected files or activity on your SharePoint servers. Conduct thorough audits of SharePoint file systems and configurations for signs of tampering or unauthorised files [2].

Stay informed and collaborate by subscribing to Microsoft’s security advisories and guidance for the latest patches and mitigations [1]. If a breach is discovered, share information with relevant national CERTs and industry partners to help others respond [2].

In conclusion, immediate patching is the most effective defense, followed by enabling AMSI and antivirus protections. Regular monitoring for signs of compromise and isolation of unpatched systems from the internet are essential temporary measures. Ensure your SharePoint servers are always running supported, fully patched versions to minimise risk [1][3]. The potential consequences of the attack include data theft, password capture, and the ability for attackers to steal digital keys for future access to computer systems. A patch for the vulnerability is expected to be available soon, but companies must immediately take risk mitigation measures.

References: [1] Microsoft Security Response Centre - Advisory: CVE-2025-53770 [2] Eye Security - SharePoint Server RCE Vulnerability (CVE-2025-53770) [3] Microsoft Security Update Guide - July 2025 [4] Google Mandiant - SharePoint Vulnerability Exploited in the Wild [5] CISA - Alert: Critical SharePoint Server Vulnerability (CVE-2025-53770)

  1. Given the ongoing threat posed by the actively exploited CVE-2025-53770 vulnerability in on-premises SharePoint Servers, it is crucial for organizations to apply the latest security updates to safeguard their cybersecurity, as advised by Google's Mandiant security firm and the American IT security agency CISA.
  2. Equipping SharePoint environments with Antimalware Scan Interface (AMSI) and Microsoft Defender can significantly enhance cybersecurity, as these tools can block exploitation attempts by unauthenticated attackers, as per the recommendations from Microsoft and cybersecurity experts.

Read also:

    Related

    Latest