A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.
In May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a "ToolShell" attack demonstrated at Pwn2Own Berlin to achieve remote code execution.
While Microsoft patched both ToolShell flaws as part of the July Patch Tuesday, it is now warning that a variant of CVE-2025-49706, tracked as CVE-2025-53770, is being actively exploited in the wild.
"Microsoft is aware of active attacks targeting on-premises SharePoint Server customers," warns Microsoft.
"The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770."
Microsoft states that the flaw does not impact Microsoft 365 and is working on a security update, which will be released as soon as possible.
To mitigate the flaw, Microsoft recommends that customers enable AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers.
Microsoft AMSI (Antimalware Scan Interface) is a security feature that allows applications and services to pass potentially malicious content to an installed antivirus solution for real-time scanning. It's commonly used to inspect scripts and code in memory, helping detect and block obfuscated or dynamic threats.
Microsoft says that enabling these mitigations will prevent unauthenticated attacks from exploiting the flaw.
The company notes that this feature is enabled by default since the September 2023 security updates for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
... continue reading