IT Start

Menu
Get Your Cyber Score

CVE‑2025‑53770: the new SharePoint zero‑day every on‑premises business must patch now!

  • IT Start
SharePoint Vulnerability for on-premise SharePoint Servers

At a glance

CVE 2025 53770 is a critical remote‑code‑execution flaw in on‑premises SharePoint Server.
Security teams began seeing live attacks as early as 7 July 2025, nearly two weeks before Microsoft issued public guidance.
Government alerts in Australia, the United States, and Europe now label the vulnerability as a top‑priority patch*.

What happened

Microsoft released an out-of-band advisory after researchers found criminals chaining two SharePoint bugs to create a zero‑day exploit.
The attack lets a remote user send a specially crafted request that SharePoint processes without proper checks, opening the door for code execution.
Early investigations link some activity to state‑aligned groups who are stealing cryptographic keys to keep access even after patches are applied*.

Why this zero‑day is important

  • Active exploitation – attackers are scanning and breaching servers right now *
  • No credentials required – the flaw works before login, so firewalls alone do not stop it.
  • Critical severity – it carries a 9.8 score on the industry risk scale, the highest danger band *
  • Full server control – successful exploits allow data theft, ransomware deployment, or creation of hidden admin accounts.
  • Supply‑chain ripple – compromised SharePoint servers often hold documents with passwords, network diagrams, or customer datasets that give attackers leverage elsewhere.

Who is at risk and who is safe

The danger applies only to installations where your organisation (or a hosting partner) manages the SharePoint servers.
SharePoint Online, included with Microsoft 365, runs different code that Microsoft patched behind the scenes, so it is not affected by CVE 2025 53770.

Older unsupported versions, such as SharePoint 2013, carry even greater risk because no official patches exist, meaning isolation or retirement is the only safe route.

How the exploit works in plain English

SharePoint turns incoming user data into objects that the server can use, in a process called deserialization.
The vulnerability tricks the server into accepting a malicious object.
Picture a courier handing reception a sealed package labelled “internal mail”.
Staff trust the label and place it directly in the CEO’s office.
Opening the box activates a harmful device hidden inside.
The SharePoint flaw follows the same logic but happens at digital speed.

Many attackers drop a tiny file known in the community as ToolShell that acts like a secret command window.
The web shell blends into normal files, giving persistent access even after a server reboot*.

Business impact if you delay

Data loss and downtime. Proposals, client files, and internal forms may vanish or get encrypted. Recovery from backup could take days.

Financial cost. Incident response bills, customer rebates, and overtime pay balloon quickly. One public breach last year of a smaller flaw cost a regional firm more than ninety thousand dollars in recovery fees.

Reputation damage. Customers may question your ability to keep sensitive information safe and move their contracts elsewhere.

Privacy reforms raise the maximum company fine and shrink the time allowed for breach reporting.
Under the draft guidelines, failure to patch a widely known flaw like CVE -2025-53770 could be deemed negligent.
Directors and officers are increasingly expected to show due diligence on cyber risks, so staying current on patches protects both company and personal liability.

Immediate actions to take

  • Install Microsoft’s July security update for SharePoint Server or apply the interim mitigation script *
  • Block direct internet traffic to the server until you finish patching and log review.
  • Search IIS logs for unfamiliar POST requests, sudden spikes in outbound traffic, or new files inside the Layouts directory.
  • Reset local administrator passwords and replace any certificates stored on the server.
  • Update antivirus definitions; most vendors now detect common SharePoint web shells *
  • Consider an external security scan or penetration test to confirm clean‑up success.

A brief word on cloud migration

Long term, many organisations are reducing risk by moving content to SharePoint Online.
The cloud platform receives automatic security fixes and advanced threat protection, removing the need for weekend patch marathons.
Migration does not need to happen overnight, but planning a roadmap now avoids repeated scramble every time a new on-premises flaw appears.

Frequently asked questions

Is a VPN enough protection? A VPN hides the server from casual scanning but does nothing if an attacker compromises a laptop inside the VPN. Patching remains mandatory.

Can I just move critical libraries to the cloud and keep custom workflows on‑prem? Yes. A hybrid setup lets you run niche workflows locally while most staff access cloud libraries with modern features.

Does SharePoint Online meet ISO 27001 and Essential Eight controls? SharePoint Online aligns with major frameworks, and Microsoft publishes detailed compliance documents. Extra steps such as multifactor authentication and conditional access policies close any remaining gaps.

How IT Start can help

Rapid exposure audit. We scan patch levels, open ports, and log anomalies, then deliver clear next steps.

Incident response support. If evidence of compromise appears, we isolate the server, collect forensics, rotate secrets, and rebuild from a clean backup.

Managed patching and monitoring. Our managed IT support Brisbane service includes timely Microsoft security patching, continuous vulnerability scanning, and proactive alerting, so you never face surprise zero‑day panic again.

Cloud roadmap advisory. When you are ready, we can outline the cost, timeline, and training for a gradual move to SharePoint Online.

Key take‑aways

  • CVE 2025 53770 is a live zero‑day affecting on-premises SharePoint and is already under active attack.
  • Patch immediately, review logs, and rotate credentials to cut off intruders.
  • Planning a future move to SharePoint Online reduces patch pressure and adds built‑in security.
  • IT Start can handle urgent exposure checks or act as your ongoing security partner.

Need help today? Get in touch with IT Start for fast advice and practical action.

Sources

  1. Australian Cyber Security Centre. “High‑Priority Alert: Exploitation
    of CVE‑2025‑53770 in the wild.” 21 Jul 2025.
    cyber.gov.au
  2. Microsoft Security Response Center. “Out‑of‑Band Security Update for CVE‑2025‑53770.” 19 Jul 2025.
    msrc.microsoft.com
  3. National Vulnerability Database. “CVE‑2025‑53770 Detail.” CVSS 3.1 Base Score 9.8.
    nvd.nist.gov
  4. CrowdStrike Intelligence. “ToolShell: New SharePoint web‑shell used in CVE‑2025‑53770 exploits.” 22 Jul 2025.
    crowdstrike.com
  5. Microsoft Security Blog. “Detecting ToolShell and related SharePoint exploits in Microsoft Defender.” 22 Jul 2025.
    microsoft.com

Related Posts