A critical zero-day vulnerability known as CVE-2025-53770 has been announced for on-premises Microsoft SharePoint Server installations. The flaw has a high Common Vulnerability Scoring System (CVSS) score of 9.8. It has already been under active exploit, having already compromised more than 85 servers in 29 different organizations, including multinational corporations and government operations. Microsoft has reassured customers that SharePoint Online deployed as part of Microsoft 365 is not affected by this vulnerability.
The vulnerability, CVE-2025-53770, is a variant of an earlier reported issue, CVE-2025-49704 which has a CVSS of 8.8. The first vulnerability is a code injection and remote code execution vulnerability in Microsoft SharePoint Server. Microsoft fixed CVE-2025-49704 in its July 2025 Patch Tuesday release. Today, we learned of a new zero-day flaw. It enables remote, unauthenticated attackers to execute arbitrary code via a network by deserializing malicious data in the on-premises version of Microsoft SharePoint Server.
Microsoft has recently stated that the Antimalware Scan Interface (AMSI) integration is enabled by default. This addition was included with the September 2023 security update for SharePoint Server 2016 and 2019, and with the Version 23H2 feature update for SharePoint Server Subscription Edition. This application of the integration is likely to boost protective measures against these types of noracious attacks.
With these keys available, attackers can produce spoofed __VIEWSTATE payloads. SharePoint will consider these payloads as valid, and execution of remote code will go through without a problem,” said Benjamin Harris, Co-Founder and CEO of watchTowr. This approach renders remediation highly ineffective—most of the standard patches would not automatically rotate these stolen cryptographic secrets, keeping organizations at risk even after they patch.
Piet Kerkhofs, CTO at Dutch cybersecurity company Eye Security, who performed the research, was clear about the continued risk that this exploitation presents. “We are still identifying mass exploit waves,” he stated. He further warned, “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”
Chris Butera from the Cybersecurity and Infrastructure Security Agency (CISA) noted the collaboration between agencies and technology providers in response to this threat. “CISA was made aware of the exploitation by a trusted partner, and we reached out to Microsoft immediately to take action,” he stated. “This is an important example of operational collaboration in action for homeland and national security.”
Microsoft has already made a full update in advance of CVE-2025-53770 to address the issue. However, organizations using on-premises SharePoint Server must remain vigilant and take immediate measures to secure their systems against potential exploitation.
