Threat Alert: Actively Exploited SharePoint flaws put global organisations at risk of remote attack

Critical SharePoint vulnerabilities exploited in the wild

On July 19, 2025, Microsoft issued out-of-band security updates to address two zero-day vulnerabilities in Microsoft SharePoint Server: CVE-2025-53770 and CVE-2025-53771. These vulnerabilities are under active exploitation in the wild and demand immediate attention to help businesses protect on-premises SharePoint environments (cloud versions are not affected, only the on-premises versions). Proof-of-concept code has been privately circulated and is likely to surface publicly in the coming days.

CVE-2025-53770: critical remote code execution

The first of the two vulnerabilities, CVE-2025-53770, is a critical-severity vulnerability actively being exploited by threat actors worldwide. The issue allows attackers to execute code remotely without authentication, simply by sending crafted data to a vulnerable SharePoint instance.

Microsoft has confirmed active exploitation and security patches are now available for all vulnerable versions. Organisations running on-prem SharePoint — including public sector bodies, enterprises, and educational institutions — are strongly advised to immediately address this security vulnerability, as active exploitation campaigns are ongoing across multiple sectors.

CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) Catalog, warning that affected systems should be mitigated or disconnected from the internet until updates are applied. Microsoft has published security patches for all vulnerable versions, as well as interim guidance for those unable to update systems. Active exploitation campaigns are ongoing across multiple sectors.

What’s the issue?

This vulnerability stems from the deserialisation of untrusted data within SharePoint’s server-side components. Attackers can exploit it to run arbitrary code with high privileges, without needing credentials or user interaction. The result: full control of the affected SharePoint instance — and potentially the broader network.

Why it matters

SharePoint is widely used for document sharing, collaboration, and internal portals — often connected to sensitive systems and data. The flaw affects multiple supported versions, including SharePoint 2016, 2019, and subscription editions, putting thousands of environments at risk.

This is a critical, network-exploitable, pre-authentication RCE, with a CVSS score of 9.8. That means attackers can take control of vulnerable SharePoint servers over the internet without needing a password — and it's one of the most severe types of security flaws. Attackers do not require prior access, only a reachable SharePoint service. Then they simply send the right malicious command to trigger the flaw.

What should you do?

Until an official patch is released, KYND strongly recommends the following:

• Enable AMSI integration and ensure Microsoft Defender AV is deployed on all SharePoint servers.

• If AMSI cannot be enabled, disconnect any internet-facing SharePoint servers from service immediately.

• Monitor logs for suspicious activity related to object deserialisation or unusual web requests.

• Follow Microsoft’s mitigation steps and CISA’s official guidance.

CVE-2025-53771: Server spoofing vulnerability

Tracked as a medium-severity vulnerability with a CVSS score of 6.3, CVE-2025-53771 is a spoofing vulnerability. It arises from an improper limitation of a pathname to a restricted directory, also known as path traversal. Although it’s not as severe as a remote code execution (RCE) vulnerability, CVE-2025-53771 can be used as part of a broader attack chain, such as enabling access to sensitive files, impersonating legitimate services, or facilitating lateral movement within a compromised environment.

Path traversal vulnerabilities have been exploited in several real-world breaches, including high-profile cases where attackers gained access to configuration files, credentials, and internal APIs that should never have been exposed. When combined with other vulnerabilities – like RCE or privilege escalation – flaws like CVE-2025-53771 can become a stepping stone to a full-scale compromise. In environments handling sensitive data or critical infrastructure, even "medium" vulnerabilities can be the weak link that leads to significant damage if left unpatched.

How KYND is helping customers

KYND is able to proactively scan for signs of critical vulnerabilities across our clients’ externally facing services and infrastructure. Where signs of compromise or exposure are identified, we’re working directly with affected organisations to isolate the threat and recommend action.

If you would like KYND to help assess your risk or investigate your environment, get in touch.

Technical details:

• CVE: CVE-2025-53770

• Severity: 9.8 CRITICAL

• Impact: Remote Code Execution (pre-auth, over network)

Affected versions:

• SharePoint Server Subscription Edition (prior to 16.0.18526.20508)

• SharePoint Server 2016

• SharePoint Server 2019

Exploit status: Confirmed exploited in the wild

Weakness type: CWE-502 – Deserialisation of Untrusted Data

At KYND, we have notified all current KYND ON subscribers to direct exposure within their infrastructure, and all portfolio monitoring customers to any exposure within their insured portfolios or supply chains. KYND will continue to monitor developments and update you as new details emerge.