Critical zero-day vulnerabilities in Microsoft SharePoint on-premises servers, CVE-2025-53770 and CVE-2025-53771, have been actively exploited, with numerous servers compromised across various sectors.
CVE-2025-53770 is a remote code execution vulnerability; this flaw enables attackers to execute harmful code on the server remotely, without the need for any authentication. The flaw arises from the deserialization of untrusted data.
CVE-2025-53771 is a spoofing vulnerability, allowing attackers with any level of access to the system to manipulate the file path and perform unauthorized actions.
Microsoft has released patches for SharePoint Server 2019, SharePoint Subscription Edition, and SharePoint Server 2016. If organizations are unable to patch immediately, they are recommended to enable Antimalware Scan Interface (AMSI) integration and deploying Microsoft Defender Antivirus on all SharePoint servers. If these measures cannot be implemented, disconnect the SharePoint server from the internet temporarily until fixes become available. Additionally, after patching or enabling AMSI, it is crucial to rotate SharePoint's machine keys to prevent further misuse of the previously compromised services.
To resolve this issue, here are the supported patches:
Patch ID | Patch name | Description |
42005 | sts2019-kb5002754-fullfile-x64-glb.exe | Security Update for Microsoft SharePoint Server 2019 Core (KB5002754) |
42006 | uber-subscription-kb5002768-fullfile-x64-glb.exe | Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) (Deployment-Only) |
42007 | sts2016-kb5002760-fullfile-x64-glb.exe | Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760) |
42008 | wssloc2016-kb5002759-fullfile-x64-glb.exe | Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759) |
42009 | wssloc2019-kb5002753-fullfile-x64-glb.exe | Security Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753) |
Cheers,