New Delhi: Microsoft has released urgent security fixes to address a critical remote code execution (RCE) vulnerability in on-premises SharePoint Server, which is already being used in the wild. It is being tracked as CVE-2025-53770 with a severity score of 9.8, and it allows attackers to execute arbitrary code on affected servers owing to inadequate deserialisation of unreliable data.
The company noted that various institutions have already been targeted, and they include banks, universities and government organisations. It seems that the exploitation began on July 18. Microsoft cautions that the on-premises SharePoint users are currently at risk, and they should install the security updates, update ASP.NET machine keys, and restart the IIS services to remain safe.
Second SharePoint flaw revealed
There was also a second vulnerability identified by Microsoft under CVE-2025-53771 (CVSS 6.3) that was characterised as a spoofing vulnerability due to a failure to validate the path. Both CVE-2025-53770 and CVE-2025-53771 are connected to the previous bugs (CVE-2025-49704 and CVE-2025-49706) that were already used in a chain named ToolShell. According to Microsoft, the new patches are more protective than the previous ones.
Affected are only SharePoint servers that are on-premises. SharePoint Online in Microsoft 365 is secure. Its fixes are applicable on supported versions, such as the SharePoint Server 2016, 2019, and the Subscription Edition. Microsoft recommends that, after an update, it is necessary to activate AMSI in Full Mode, install antivirus, such as Defender, and rotate cryptographic keys.
CISA adds to KEV catalogue
CVE-2025-53770 was listed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Known Exploited Vulnerabilities catalogue, and federal agencies are required to patch by July 21. According to Palo Alto Networks Unit 42, cybercriminals are evading MFA and SSO due to privileged access to attack data and becoming persistent in a network.
Experts warn of broader compromise risks
Security experts are saying that patching might not suffice. Organisations have to take the position of compromise in case their SharePoint servers are internet-facing. The Unit 42 CTO Michael Sikorski described the first action to be taken as unplugging SharePoint off the internet as the safest short-term step. Since SharePoint is highly integrated with the rest of Office and other Microsoft services, a breach may result in the compromise of the entire network.