The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued a new security alert to Australian organizations and government IT teams regarding an actively exploited vulnerability in Microsoft SharePoint Server. Tracked as CVE-2025-53770, the flaw presents a cyber threat to organizations running on-premises SharePoint installations.
The vulnerability, CVE-2025-53770, involves the deserialization of untrusted data in on-premises Microsoft SharePoint Servers. If exploited, it allows an unauthorized attacker to remotely execute arbitrary code over the network, without requiring prior authentication. Both Microsoft and the ACSC have confirmed that this vulnerability is actively exploited in the wild. The CVSS score for the vulnerability is fluctuating at the moment.
Understanding SharePoint Vulnerability (CVE-2025-53770)
Microsoft reported that attackers are already targeting unpatched SharePoint Server customers. In a statement, a Microsoft security engineer noted, “We are aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
It’s important to highlight that this vulnerability does not affect SharePoint Online within Microsoft 365. Only on-premises versions, including SharePoint Server 2016, 2019, and the SharePoint Subscription Edition, are vulnerable.
The Australian Cyber Security Centre (ACSC) has advised organizations to assess their environments for vulnerable SharePoint products immediately. In its alert, the ACSC stated:
“Australian organizations should review their networks for use of vulnerable instances of the Microsoft Office SharePoint Server products and consult Microsoft’s customer advisory (CVE-2025-53770) for mitigation advice.”
Security Updates and Mitigation
Microsoft began issuing updates for the vulnerability on July 19, 2025, and has since released multiple revisions of its guidance. The second revision on July 20 added specific fixes and additional recommendations. By July 21, 2025, the third revision included official security updates for SharePoint 2019 and the Subscription Edition, with guidance for protecting SharePoint 2016 systems still pending.
Key Updates Include:
- SharePoint Server 2019: Security update (KB5002741), build version 16.0.10417.20027
- SharePoint Server Subscription Edition: Security update (KB5002768)
Microsoft’s guidance includes several critical mitigation steps:
- Apply the July 2025 Security Update immediately
- Use supported SharePoint Server versions only
- Enable and configure AMSI (Antimalware Scan Interface) with Defender Antivirus
- Deploy Microsoft Defender for Endpoint, or equivalent EDR solutions
- Rotate ASP.NET machine keys for all SharePoint servers
- Restart IIS services after key rotation
If organizations are unable to enable AMSI or patch their systems immediately, disconnecting servers from the internet is strongly advised as a temporary protective measure.
Detection and Monitoring
Microsoft has integrated advanced detection capabilities into Microsoft Defender to assist administrators in identifying signs of compromise. Administrators are advised to run Advanced Hunting queries in the Microsoft 365 Defender portal to detect signs of exploitation tied to CVE-2025-53770 and CVE-2025-49706.
Key Indicators of Exploitation:
- Presence of a malicious file such as spinstall0.aspx in SharePoint LAYOUTS directories
- w3wp.exe processes spawning encoded PowerShell commands
- Usage of base64-encoded payloads in PowerShell indicative of post-exploitation behavior
Example Defender hunting query for file creation:
kusto
CopyEdit
DeviceFileEvents
| where FolderPath has_any (@'microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS', @'microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS')
| where FileName has "spinstall0"
Example process query:
kusto
CopyEdit
DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("cmd.exe", "powershell")
| where ProcessCommandLine has_any ("EncodedCommand", "-ec")
Conclusion
As organizations move quickly to address the critical SharePoint vulnerability CVE-2025-53770, a related flaw, CVE-2025-53771, has also been identified and included in recent security updates. While specific details on the latter remain limited, both pose serious risks, particularly in on-premises environments. The Australian Cyber Security Centre (ACSC) continues to stress the urgency of applying available patches, rotating cryptographic keys, and reviewing internal systems for exposure.
Without timely mitigation, these vulnerabilities could allow unauthenticated attackers to gain elevated access to SharePoint infrastructure, putting sensitive data and operations at significant risk. Organizations are strongly advised to stay informed through official security advisories and take immediate action based on the latest guidance as of July 21, 2025.
