What is the threat?
Earlier this week Microsoft released a customer guidance blog advising customers of some vulnerabilities in SharePoint that are under active exploitation by threat actors. These vulnerabilities, CVE-2025-53770 and CVE-2025-53771, affect on-premises installations of Microsoft SharePoint. SharePoint is a document sharing and collaboration platform often used by governments and organizations of all sizes to provide file sharing and document collaboration features.
Does this impact your organization?
These vulnerabilities only affect on-premises installations of SharePoint. SharePoint Online (Provided by Microsoft 365) is unaffected. Microsoft has seen nation-state threat actors actively exploiting these vulnerabilities to gain access to Internet-facing SharePoint servers.
If your organization has local installations of SharePoint, whether they are accessible externally or not, you should get the latest patches installed as soon as possible.
What steps should you take to stay secure?
If you have a locally installed SharePoint server, take the following steps to protect your organization:
- Download and install the latest patches for your edition of SharePoint:
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019 (Install both)
- Microsoft SharePoint Server 2016 (Install both)
- Enable Antimalware Scan Interface (AMSI) on SharePoint servers
- Ensure endpoint protection software, such as Defender, is installed on SharePoint servers
- Rotate SharePoint Server ASP.NET machine keys
- See PowerShell script here: https://learn.microsoft.com/sharepoint/security-for-sharepoint-server/improved-asp-net-view-state-security-key-management
- Restart IIS on all SharePoint servers
How do you stay vigilant in the future?
Modern IT infrastructure is complex, and it is inevitable that bugs and vulnerabilities will be discovered in software over time. At Raxis, we recommend that organizations implement effective patching procedures to maintain software and keep it consistently patched. In addition to staying updated, embracing a layered security approach involving endpoint protection, strong passwords, multi-factor authentication, and principals of least privilege will go a long way in bridging the gap between discovery of an exploit and the vendor providing security updates.
How do you know if your processes are working? Performing regular penetration testing of your IT assets can help you understand where gaps in your patching and risk management processes lie.
References
- Original Guidance Blog from Microsoft: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- Microsoft’s Threat & Exploitation Blog: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- NIST’s Enterprise Patch Management Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf
