Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

 Microsoft has issued an urgent warning regarding a critical zero-day vulnerability in on-premises SharePoint Server that is being actively exploited in remote code execution (RCE) attacks. This vulnerability, tracked as CVE-2025-53770, is a variant of a previously patched flaw (CVE-2025-49706) and has a CVSS score of 9.8 (critical).

Key details of the situation:

 * No Patch Available: As of now, Microsoft has not released a patch for CVE-2025-53770. They are actively working on a comprehensive security update.

 * Active Exploitation: Threat actors are leveraging this vulnerability to install webshells and exfiltrate cryptographic secrets from compromised SharePoint servers. This allows for persistent, unauthenticated access and poses a significant risk.

 * Impacted Versions: The attacks are targeting on-premises SharePoint Server customers, including versions 2016, 2019, and SharePoint Subscription Edition. SharePoint Online in Microsoft 365 is not impacted.

 * Attack Chain: Reports indicate that the attacks often involve chaining CVE-2025-53770 with other SharePoint vulnerabilities, such as CVE-2025-49704 (a code injection flaw), to achieve arbitrary command execution. This exploit chain has been codenamed "ToolShell."

 * Observed Compromises: Security firms have observed dozens of systems actively compromised, with initial attacks likely occurring around July 18th and 19th, 2025.

Microsoft's Recommendations and Mitigations (Urgent Action Required):

Given the lack of a patch and active exploitation, organizations running on-premises SharePoint Servers must take immediate action to protect their environments. Microsoft recommends the following:

 * Configure AMSI Integration in SharePoint: This will help stop unauthenticated attackers from exploiting the vulnerability. AMSI (Antimalware Scan Interface) integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. Organizations should verify it's enabled or enable it if not.

 * Deploy Microsoft Defender Antivirus (AV) on all SharePoint servers: Defender AV provides detection and protection against components and behaviors related to this threat under detection names like "Exploit:Script/SuspSignoutReq.A" and "Trojan:Win32/HijackSharePointServer.A."

 * Deploy Defender for Endpoint: This will help detect and block post-exploit activity.

 * Monitor for Suspicious Activity: Look for alert titles in the Microsoft Defender Security Center portal, such as:

   * Possible web shell installation.

   * Possible exploitation of SharePoint server vulnerabilities.

   * Suspicious IIS worker process behavior.

   * 'SuspSignoutReq' malware was blocked on a SharePoint server.

   * 'HijackSharePointServer' malware was blocked on a SharePoint server.

 * Consider Disconnecting from the Internet: If AMSI integration cannot be enabled, it is strongly recommended to disconnect the SharePoint server from the internet until a security update is available.

 * Assume Compromise and Investigate: Organizations should assume their systems may already be compromised and immediately commence threat hunting and incident response activities to determine if their SharePoint servers have been affected.

The situation is critical, and organizations should prioritize implementing the recommended mitigations to safeguard their Shar

ePoint environments.