Back
Critical Alert: Microsoft SharePoint Zero-Day Exploited in Active Attacks (CVE-2025-53770)
Unpatched SharePoint? This Zero-Day Could Let Attackers In
Microsoft has issued an urgent warning regarding a newly weaponized zero-day vulnerability, CVE-2025-53770, affecting on-premise SharePoint Server deployments. With a CVSS score of 9.8, this remote code execution (RCE) flaw is being actively exploited and poses a severe risk to unpatched environments.
What’s the Threat?
This unauthenticated RCE vulnerability allows attackers to gain full control over on-prem SharePoint servers without credentials. SharePoint Online (Microsoft 365) is not affected, but any legacy, self-hosted SharePoint instances are potentially exposed.
On July 18th, Eye Security confirmed the ToolShell exploit chain is being leveraged in the wild to compromise servers globally including government agencies and major enterprises.
This new CVE is a variant of CVE-2025-49706, patched in July’s Patch Tuesday release, signaling that attackers are evolving rapidly to bypass prior mitigations.
Our Immediate Recommendations to Mitigate CVE-2025-53770
If your organization is still operating legacy on-premise SharePoint servers, we recommend the following immediate actions:
- Ensure your on-prem SharePoint instance is not directly accessible from the internet. Direct internet exposure significantly increases your risk profile and can become an entry point for threat actors.
- Implement compensating controls such as VPN enforcement or secure access gateways to restrict and monitor access. All remote access to on-prem SharePoint should require secure authentication via VPN or an equivalent access control mechanism.
For the full list of Microsoft’s official mitigation steps and threat indicators, visit: Microsoft Guidance on CVE-2025-53770
If you’re unsure whether your configuration meets these recommendations, contact us for support or, if you’re a DirectDefense customer, reach out to your SOC analyst lead for assistance.
07.21.25