CISA has issued an pressing warning a couple of vital zero-day distant code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that menace actors are actively exploiting within the wild.
The vulnerability, tracked as CVE-2025-53770, poses a big safety threat to organizations operating SharePoint infrastructure and has prompted speedy motion necessities from federal companies, in addition to suggestions for all affected organizations.
Key Takeaways1. CVE-2025-53770 permits distant code execution on SharePoint servers and is actively exploited within the wild.2. CISA requires remediation by July 21, 2025.3. Allow AMSI/Defender AV on SharePoint servers or disconnect public-facing techniques.
Microsoft SharePoint Server 0-Day Vulnerability
The newly found vulnerability, CVE-2025-53770, stems from a deserialization of untrusted information flaw inside Microsoft SharePoint Server on-premises environments.
This vital safety weak spot is assessed beneath Widespread Weak spot Enumeration CWE-502, which particularly addresses the damaging observe of deserializing untrusted information with out correct validation.
The vulnerability permits unauthorized attackers to execute arbitrary code remotely over a community connection, making it notably harmful for organizations with internet-facing SharePoint deployments.
Microsoft SharePoint Server’s deserialization vulnerability represents a elementary safety flaw the place the applying improperly handles serialized information objects, doubtlessly permitting malicious actors to craft particular payloads that set off code execution when processed by the weak system.
One of these vulnerability is particularly regarding as a result of it may be exploited remotely with out requiring authentication, relying on the particular configuration and publicity of the SharePoint server.
CISA added CVE-2025-53770 to its Recognized Exploited Vulnerabilities catalog on July 20, 2025, with a particularly tight remediation deadline of July 21, 2025, indicating the severity and energetic exploitation of this vulnerability.
Whereas it stays unknown whether or not this vulnerability is being leveraged in ransomware campaigns, the speedy timeline for remediation means that CISA has noticed credible menace exercise focusing on this particular flaw.
The zero-day nature of this vulnerability implies that attackers had entry to take advantage of this flaw earlier than safety patches or complete mitigations had been accessible, giving malicious actors a big benefit.
Organizations with public-facing SharePoint servers are on the highest threat, as these techniques will be straight focused from the web with out requiring preliminary community compromise.
Danger FactorsDetailsAffected ProductsMicrosoft SharePoint Server Subscription Version (on-premises)Microsoft SharePoint Server 2019 (on-premises)Microsoft SharePoint Server 2016 (on-premises)ImpactRemote Code ExecutionExploit PrerequisitesNetwork reachability to a weak SharePoint endpoint; no legitimate person credentials are necessaryCVSS 3.1 Score9.8 (Vital)
In response to the energetic exploitation, CISA has issued particular mitigation steerage requiring organizations to configure Anti-Malware Scan Interface (AMSI) integration inside SharePoint environments and deploy Microsoft Defender Antivirus on all SharePoint servers.
For organizations unable to implement AMSI integration, CISA recommends the extra drastic measure of instantly disconnecting affected public-facing SharePoint merchandise from web entry till official mitigations turn out to be accessible.
Federal companies should adjust to Binding Operational Directive BOD 22-01 steerage for cloud providers, whereas organizations unable to implement satisfactory mitigations ought to take into account discontinuing use of the affected merchandise till complete safety updates are launched.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
