A Major Microsoft SharePoint Vulnerability Actively Is Being Exploited

A newly discovered vulnerability in Microsoft SharePoint Server is being actively used by cybercriminals in a large-scale attack campaign.

The flaw, known as CVE-2025-53770, allows attackers to break into SharePoint systems without needing a username or password. Once inside, they can take control of the server, move around the network, and blend in with legitimate system activity—making it incredibly hard to detect.

Microsoft confirmed that this issue is being actively exploited, specifically targeting organizations that use on-premise SharePoint Server (not SharePoint Online in Microsoft 365). This means that if you host your SharePoint Server locally rather than in the cloud, your systems could be at risk.

The attack stems from how SharePoint handles certain data, which—when exploited—lets bad actors run malicious code and potentially gain long-term access to your systems. Even worse, attackers can make it look like their activity is part of regular SharePoint operations.

This is what's known as a zero-day vulnerability, which means attackers found and began exploiting the flaw before Microsoft had a chance to release a fix. Unfortunately, the damage is already widespread—more than 85 SharePoint servers around the world have been compromised, including systems used by large companies and government organizations. Even for those who have applied the patch, there’s still concern: if attackers got in early and managed to steal important encryption keys, those servers may still be vulnerable despite the update.

What Should You Do?

Microsoft has now released a security update addressing this and a related issue. If you manage on-premise SharePoint servers, applying this patch immediately is critical.

In the meantime, Microsoft also recommends:

• Enabling AMSI integration (Antimalware Scan Interface) in SharePoint, which helps detect malicious scripts and behaviors.
• Running Microsoft Defender Antivirus on all SharePoint servers.
• Disconnecting servers from the internet if you can’t apply these protections right away.
• Using Defender for Endpoint to catch signs of intrusion or unusual activity.

Need help securing your SharePoint Server?

If you’re not sure whether your systems are protected—or if you need help applying these updates—InfoPathways is here to support you. We help organizations of all sizes secure their networks and stay ahead of emerging threats.