Unpatched on-premises SharePoint servers currently under zero-day attack despite Microsoft's patches.

Unpatched on-premises SharePoint servers currently under zero-day attack despite Microsoft's patches.

A critical zero-day vulnerability, CVE-2025-53770, has been identified in Microsoft SharePoint Server, posing a significant threat to organisations worldwide. With a CVSS score of 9.8, this vulnerability allows unauthorised attackers to execute remote code over a network, bypassing security measures and potentially installing webshells or exfiltrating cryptographic secrets for persistent access [1][2][3].

Microsoft has released updates to address this vulnerability for SharePoint Server Subscription Edition and SharePoint Server 2019. These updates offer more robust protections compared to previous patches for related vulnerabilities [3]. However, it's worth noting that, at the time of writing, a patch for SharePoint Enterprise Server 2016 is yet to be issued.

The vulnerability is currently being actively exploited in targeted attacks, affecting U.S. federal and state agencies, energy companies, universities, and an Asian telco [3]. Threat actors are leveraging the flaw to gain unauthorised access and persist within networks [2][4].

To mitigate the risk, administrators are advised to take immediate action:

1. **Implement Permanent Fixes**: Apply the latest security updates released by Microsoft for SharePoint Server Subscription Edition and SharePoint Server 2019 [3].

2. **Interim Mitigations**: Consider moving to SharePoint Online if possible, as it is not affected by the vulnerability. Conduct thorough threat hunting to detect and respond to potential compromises. Implement additional security measures such as network segmentation and enhanced monitoring of SharePoint servers [2].

3. **U.S. Federal Agencies**: Identify affected systems and apply mitigations by the deadlines set by the Cybersecurity and Infrastructure Security Agency (CISA), as the vulnerability has been added to the Known Exploited Vulnerabilities catalog [3].

Microsoft has provided guidance and mitigation steps, including detection tools and security best practices, to help administrators protect their environments while awaiting comprehensive updates [1][4]. The company has also announced changes to its support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services [5].

Meanwhile, Ring, a home security company, has announced plans to introduce a new feature that would allow police to request live-stream access to people's home security devices. The Electronic Frontier Foundation (EFF) has warned that this move could potentially allow law enforcement agencies to access Ring devices [6]. Ring has also reversed its 2024 promise to discontinue an option that allowed law enforcement agencies to request video footage without a warrant [7].

In a separate development, the Chinese government has been reported to be installing malware on smartphones owned by some visitors to the country, allowing them to monitor GPS location data, SMS messages, images, audio, contacts, and phone services [8].

Sources: [1] Microsoft Security Response Centre Blog (2025). SharePoint Server Critical Remote Code Execution Vulnerability (CVE-2025-53770) [2] ZDNet (2025). Microsoft patches critical zero-day in SharePoint Server, warns of ongoing attacks [3] The Hacker News (2025). Critical Zero-Day Vulnerability in Microsoft SharePoint Server Under Active Attack [4] The Record by Recorded Future (2025). Microsoft patches critical zero-day SharePoint flaw under active attack [5] The Hill (2025). Microsoft to stop using Chinese engineers on US DoD systems [6] ProPublica (2025). Microsoft's Ring Will Let Police Request Live Video From Your Home Security Cameras [7] The Verge (2025). Ring is reversing course on its promise to end police access to its video footage [8] The Guardian (2025). China accused of installing spyware on phones of foreign visitors

1. This critical zero-day vulnerability, CVE-2025-53770, identified in Microsoft SharePoint Server, has a CVSS score of 9.8, allowing unauthorized attackers to execute remote code over a network.
2. Microsoft has released updates to address this vulnerability for SharePoint Server Subscription Edition and SharePoint Server 2019, emphasizing that they offer more robust protections compared to previous patches for related vulnerabilities.
3. However, a patch for SharePoint Enterprise Server 2016 is yet to be issued, leaving some organizations vulnerable.
4. This vulnerability is currently being actively exploited, affecting various sectors such as U.S. federal and state agencies, energy companies, universities, and a telco in Asia.
5. To mitigate the risk, administrators are advised to apply the latest security updates, consider moving to SharePoint Online, conduct threat hunting, and implement additional security measures like network segmentation and enhanced monitoring of SharePoint servers.
6. Additionally, Microsoft has announced changes to its support for US Government customers, assuring that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.
7. Meanwhile, the Chinese government has been reported to be installing malware on smartphones owned by foreign visitors, monitoring GPS location data, SMS messages, images, audio, contacts, and phone services.

Read also: