Microsoft released emergency security updates to address two serious vulnerabilities in its on-premises SharePoint Server platform, one of which is already under active exploitation. These vulnerabilities conceal attacker activities and bypass existing security controls. This can lead to full control of the system, data theft, or further compromise of connected systems.
Organizations using affected SharePoint versions are strongly advised to apply the relevant patches as soon as possible.
Microsoft confirmed that attackers are actively using these flaws to breach systems. Reports indicate that more than 75 organizations across government, education, energy, and telecom sectors have already been affected. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a public alert in response to ongoing exploitation.
Vulnerability Details
Microsoft identified two vulnerabilities impacting SharePoint Server:
- CVE-2025-53770 (CVSS Score: 9.8/10) is a critical flaw that allows attackers to run unauthorized code on a vulnerable server.
- CVE-2025-53771 (CVSS Score: 6.3/10) is a related vulnerability that helps attackers conceal their activity and bypass security controls.
The following versions of SharePoint Server are impacted by these vulnerabilities:
- SharePoint Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
These vulnerabilities do not affect SharePoint Online (Microsoft 365).
Security updates are now available for SharePoint Server 2019 and SharePoint Server Subscription Edition. Patches for SharePoint Server 2016 are still pending and will be released shortly. Organizations with internet-facing SharePoint servers that have not been patched are at especially high risk.
Our Guidance
To protect your environment and limit potential impact, ACA recommends the following steps:
- Apply Microsoft’s July 2025 security updates as soon as possible:
- For SharePoint Server 2019, apply KB5002754.
- For SharePoint Server Subscription Edition, apply KB5002768.
- For SharePoint Server 2016, monitor Microsoft’s Security Portal for the patch release.
- After patching, Microsoft recommends:
- Rotating ASP.NET machine keys (used to protect authentication and session data).
- Turning on AMSI (Antimalware Scan Interface) to help detect malicious code within SharePoint.
- Using endpoint protection tools (like Microsoft Defender for Endpoint) to monitor suspicious activity.
- Reviewing and updating the organization’s patch management policies to ensure timely application of future patches.
- If patching cannot be done right away, temporarily disconnect vulnerable SharePoint servers from the internet to prevent external attacks. Also, ask your IT or security teams to review logs for unusual access behavior which may indicate an attack has occurred.
How We Help
ACA Aponix® helps firms strengthen their cybersecurity programs to mitigate risks from vulnerabilities. Our services include:
- Aponix ProtectTM is a comprehensive solution that helps you implement a robust patch management process, ensuring vulnerabilities like these are identified and remediated before they can be exploited.
- ACA Vantage for Cyber provides targeted cyber health insights for portfolio companies, focusing on areas like patch management and vulnerability remediation. Combining expert advisory, ACA’s ComplianceAlpha® technology, and RealRisk assessments, it helps pinpoint where additional support is needed to strengthen defences and maintain operational resilience.
- Our Technology Risk Assessment (TRA) helps identify and address technology-related risks across domains like cybersecurity, infrastructure, data, and vendor management.
Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations.
Â