7 hours ago
11
Microsoft has patched two critical zero-day SharePoint security flaws that have already been exploited by hackers to attack vulnerable organizations. Responding to the exploits, the software giant has issued fixes for SharePoint Server Subscription Edition and SharePoint Server 2019, but is still working on a patch for SharePoint Server 2016.
Designated as CVE-2025-53771 and CVE-2025-53770, the two vulnerabilities apply only to on-premises versions of SharePoint, so organizations that run the cloud-based SharePoint Online are unaffected.
Also: I replaced my Microsoft account password with a passkey - and you should, too
Rated as important, CVE-2025-53771 is defined as a SharePoint Server spoofing vulnerability, which means that attackers are able to impersonate trusted and legitimate users or resources in a SharePoint environment. Rated as critical, CVE-2025-53770 is defined as a SharePoint Server remote code execution vulnerability. With this type of flaw, hackers can remotely run code in a SharePoint environment.
"CVE-2025-53770 gives a threat actor the ability to remotely execute code, bypassing identity protections (like single sign-on and multi-factor authentication), giving access to content on the SharePoint server including configurations and system files, opening up lateral access across the Windows domain," Trey Ford, chief information security officer at crowdsourced cybersecurity provider Bugcrowd, told ZDNET.
Together, the two flaws give cybercriminals the ability to install malicious programs that can compromise a SharePoint environment. And that's just what's been happening.
Already, hackers have launched attacks against US federal and state agencies, universities, energy companies, and others, state officials and private researchers told The Washington Post. SharePoint servers have been breached within at least two US federal agencies, according to the researchers. One US state official said the attackers had "hijacked" a collection of documents designed to help people understand how their government works, the Post added.
Just who are the hackers behind the attacks?
On Tuesday, Microsoft pointed the finger at three Chinese nation-state actors, accusing Linen Typhoon, Violet Typhoon, and Storm‑2603 of exploiting the SharePoint flaws.
Active since 2012, Linen Typhoon specializes in stealing intellectual property, mainly targeting government, defense, strategic planning, and human rights organizations. The group typically relies on exploiting security vulnerabilities to launch its attacks.
Also: Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown
In business since 2015, Violet Typhoon focuses on espionage against a range of targets, including former government and military personnel, non-governmental organizations, think tanks, higher education, digital and print media, financial businesses, and health-related companies in the US. This group also looks for security vulnerabilities to exploit.
Microsoft said it believes that Storm‑2603 is also based in China but hasn't yet uncovered any links between it and other Chinese hackers. This group has tried to take advantage of the SharePoint vulnerabilities to steal the Windows MachineKeys folder, which stores cryptographic keys.
Why did Microsoft allow these flaws to get so out of hand?
The company tried to fix both the server spoofing vulnerability and the remote code execution vulnerability with its July 8 Patch Tuesday updates via CVE-2025-49706, CVE-2025-49704, and CVE-2025-49701. But apparently, the fixes didn't quite do the trick, as savvy hackers were able to sneak their way around them.
Hopefully, this time the new patches will work. In an FAQ, Microsoft said about its cavalcade of CVEs, "Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706."
One question is why companies like Microsoft keep exposing their customers to these types of security flaws. One problem lies with the increasing complexity of all the different customer environments.
"Patches are rarely fully comprehensive, and the codebases are both complex, and implementations are highly varied," Ford said. "This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously, this isn't possible, so feature development must be tested across an exponentially more complicated surface area."
Also: Can't upgrade your Windows 10 PC? You have 5 options and 3 months to act - before EOS
Before Microsoft rolled out the new patches on Sunday, security firm Eye Security warned about the SharePoint flaws in a Saturday research post.
"On the evening of July 18, 2025, Eye Security was the first in identifying large-scale exploitation of a newSharePoint remote code execution (RCE)vulnerability chain in the wild," the firm said. "Demonstrated just days ago on X, this exploit is being used to compromise on-premise SharePoint Servers across the world. Before this vulnerability was widely known last Friday, our team scanned 8000+ SharePoint serversworldwide. We discovered dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC."
Referring to the security flaw as ToolShell, Eye Security explained how SharePoint environments can be compromised through the attacks.
Bypassing security protections, hackers can execute code remotely, thereby gaining access to SharePoint content, system files, and configurations. Attackers can also steal cryptographic keys, allowing them to impersonate users or services, even after the server is patched. Since SharePoint connects to other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move laterally across a network to steal associated passwords and data.
How to fix the security flaws
For organizations that run SharePoint Server, Microsoft has outlined the steps to fix the flaws.
Also: How to get free Windows 10 security updates through October 2026: Two ways
For Microsoft SharePoint Server Subscription Edition, head to this update page to download and install the patch. For Microsoft SharePoint Server 2019, browse to this update page to grab the patch.
How to guard against future attacks
Microsoft offers the following advice:
- Make sure you're running supported versions of SharePoint Server.
- Apply the latest security patches, including those from the July Patch Tuesday updates.
- Make sure that the Windows Antimalware Scan Interface (AMSI) is enabled and set up properly with an antivirus product such as Defender Antivirus.
- Install security software such as Microsoft Defender for Endpoint.
- Rotate SharePoint Server ASP.NET machine keys.
For now, users of SharePoint 2016 are still vulnerable to the exploit. But Microsoft should provide a patch for this version before too long. Continue to check the company's page on SharePoint customer guidance for details.
Also: Microsoft is saving millions with AI and laying off thousands - where do we go from here?
Ford offered further advice to organizations with SharePoint servers.
"When running your own services on-premises, ask if they truly need to be internet exposed, or accessible to untrusted parties," Ford said. "Lowering your attack surface is always wise -- minimize the number of hosts and services you have available to public, untrusted users. Hardening, adding the recommended endpoint protections, such as Microsoft's Antimalware Scan Interface and Defender for these highly integrated services is key."
Get the morning's top stories in your inbox each day with our Tech Today newsletter.
English (US) ·