Severe Unpatched SharePoint Zero-Day Under Active Exploitation, Compromises Over 75 Company Servers

July 20, 2025
Zero-Day / Vulnerability

A serious security flaw in Microsoft SharePoint Server has been weaponized in an ongoing, large-scale exploitation campaign. The zero-day vulnerability, identified as CVE-2025-53770 (CVSS score: 9.8), is a variant of CVE-2025-49704 (CVSS score: 8.8), which was addressed by Microsoft in their July 2025 Patch Tuesday updates. Microsoft explained that “deserialization of untrusted data in on-premises Microsoft SharePoint Server enables unauthorized attackers to execute code over a network,” as detailed in an advisory released on July 19, 2025. The company is actively preparing a comprehensive update to mitigate this issue. Viettel Cyber Security is credited with discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI). Additionally, Microsoft has acknowledged awareness of ongoing attacks related to this vulnerability.

Critical Unpatched SharePoint Zero-Day Under Active Exploitation, Compromises Over 75 Company Servers

July 20, 2025
In an alarming development, a critical zero-day vulnerability in Microsoft SharePoint Server has been actively exploited in a large-scale attack campaign, leading to the breach of more than 75 company servers. This vulnerability, designated as CVE-2025-53770 and carrying a CVSS score of 9.8, has been identified as a variant of an earlier flaw, CVE-2025-49704, which was patched by Microsoft during its July 2025 Patch Tuesday updates.

The vulnerability stems from the deserialization of untrusted data in on-premises Microsoft SharePoint Server, a flaw that allows unauthorized attackers to execute code over a network. In an advisory issued on July 19, 2025, Microsoft highlighted the significance of the issue and confirmed that it is currently working on a comprehensive update to address this security gap. Viettel Cyber Security reported the flaw through Trend Micro’s Zero Day Initiative, prompting Microsoft to acknowledge the seriousness of the situation.

The ongoing exploitation poses considerable risks, particularly for businesses reliant on SharePoint for document management and collaboration. As attacks grow more sophisticated, cybercriminals are increasingly turning to zero-day vulnerabilities to gain initial access to target networks. This incident serves as a reminder of the evolving landscape of cyber threats that can compromise organizational data integrity and system availability.

Given the nature of the attack, it is crucial for business owners to understand the potential tactics and techniques that may have been employed by the adversaries. According to the MITRE ATT&CK framework, the techniques involved in this breach likely include initial access through exploitation of unpatched vulnerabilities, persistence via backdoor installations, and potential privilege escalation to gain higher access levels within compromised networks.

As Microsoft works on a patch, organizations should prioritize the immediate review of their SharePoint configurations and access controls. Cybersecurity experts recommend bolstering defenses through regular vulnerability assessments and timely application of security updates to mitigate the risk posed by similar exploits in the future. Preparing for an incident response should also be a top priority, as proactive measures can significantly reduce the impact of an attack.

The situation remains dynamic, and businesses should stay informed about updates from Microsoft regarding the release of the patch. Awareness and preparedness are essential in navigating this rapidly evolving cyber threat landscape, particularly for organizations leveraging popular software solutions like Microsoft SharePoint. Corporate leadership and IT teams must collaborate closely to ensure that defenses are robust, and rapid responses are in place should further threats emerge.

Source link