Table of Contents
- Is Your SharePoint Server at High Risk? The Critical CVE-2025-53770 Threat Explained
- What Is CVE-2025-53770?
- Who Is at Risk?
- How Does the Attack Work?
- Why Is This Bug So Critical?
- What Should Admins Do Right Now?
- Method 1: Apply Any New Security Updates
- Method 2: Enable Antimalware Scan Interface (AMSI)
- Method 3: Use Microsoft Defender for Endpoint
- Method 4: Check for Signs of Attack
- Method 5: Network Safety
- Method 6: Rotate ASP.NET Machine Keys
- Method 7: Make Regular Backups
CVE-2025-53770 is a new and very serious bug in Microsoft SharePoint Server. Attackers are taking control of servers that have this problem. No patch is out yet for many versions, and break-ins are happening daily around the world. Staying safe is possible but requires quick action.
What Is CVE-2025-53770?
It affects only on-premises Microsoft SharePoint Servers (not SharePoint Online or Microsoft 365).
The flaw is in the way SharePoint handles some files sent to it by users.
Attackers can send special data to the server and make it run any command they want. No password or login is needed.
Once inside, they can steal important keys (MachineKey) and control the __VIEWSTATE, making it easier to stay hidden and cause more harm.
Who Is at Risk?
Companies, schools, or public offices running their own SharePoint servers and letting people connect over the internet.
SharePoint Online users (Microsoft 365) are not at risk from this bug.
How Does the Attack Work?
- The attacker finds a SharePoint server exposed to the internet.
- They send a crafted message that tricks SharePoint into running code.
- The malicious code then opens a backdoor and lets the attacker stay in.
- The attacker looks for files on the server, especially keys, and can use these to make even more powerful attacks.
- Signs of attack include a new file named spinstall0.aspx on the server and unusual requests for /ToolPane.aspx with links from /SignOut.aspx.
Why Is This Bug So Critical?
No official security patch exists for SharePoint 2016 or 2019 at this time. Microsoft is still working on it.
Attackers need no password or help from a user (no clicks required).
Once a server is hit, even after a future patch, admins must rotate secret keys (like MachineKey) or attackers could slip back in later.
The flaw has a CVSS critical score of 9.8, meaning it is as serious as it gets.
What Should Admins Do Right Now?
Method 1: Apply Any New Security Updates
If your SharePoint is Subscription Edition, a patch is already available. For SharePoint 2016/2019, install the July 2025 Security Update right away.
Method 2: Enable Antimalware Scan Interface (AMSI)
This is already on by default if you installed security updates from September 2023 or later. Turn on AMSI and make sure Microsoft Defender Antivirus is running on all SharePoint servers.
Method 3: Use Microsoft Defender for Endpoint
This helps find and block suspicious activity if someone tries to break in or if the system is already compromised.
Method 4: Check for Signs of Attack
- Search for suspicious new files, especially spinstall0.aspx in certain folders.
- Review server logs for odd requests to /ToolPane.aspx or from /SignOut.aspx.
- Look for strange logins or unknown users.
Method 5: Network Safety
If you cannot enable AMSI, disconnect your SharePoint server from the internet until a security update comes out. Only allow trusted users to connect.
Method 6: Rotate ASP.NET Machine Keys
After patching or enabling AMSI, change all machine keys. This stops attackers from using old keys to get back in.
Method 7: Make Regular Backups
Ensure backups are not infected and are safely stored.
Companies that act fast can block or stop these attacks. Waiting could lead to stolen files, lost data, or full server takeovers. Patching, monitoring, and careful key management are the best defenses.
Staying alert and fixing issues right away is the key to keeping data and people safe from this negative threat.