SharePoint Servers Hit by Zero-Day Exploit, Microsoft Warns

Microsoft issued an urgent security alert for users of on-premises versions of Microsoft SharePoint Server. The warning focuses on a zero-day vulnerability, identified as CVE-2025-53771, that is under active exploitation. This vulnerability allows attackers to execute remote code on affected servers without authentication, prompting the company to urge organizations to apply immediate mitigations while final security patches are developed.

The vulnerability is rooted in a critical flaw related to the deserialization of untrusted data. This defect allows a malicious actor to send a specially crafted request to the SharePoint server, which, when processed, can result in arbitrary code execution with the privileges of the server’s own service account.

According to reports from Eye Security, the cybersecurity company that first detected the attacks, "this type of vulnerability is a ransomware operator’s dream, as it provides unauthenticated persistent access, which poses a significant risk for the affected organizations." This statement highlights the severity of direct, unfettered access to a core enterprise system. The initial attacks were observed in two main waves on July 18 and 19.

The incident is critical due to SharePoint's widespread adoption in corporate and government environments. An estimated tens of thousands of organizations worldwide use an on-premises version of SharePoint for essential business functions, reports TechCrunch. These functions include internal collaboration portals, project management tracking, and the management of the entire document lifecycle for sensitive corporate data, exposing a considerable and high-value attack surface.

Because SharePoint frequently integrates with other critical Microsoft ecosystem services, for example Outlook, OneDrive, and Teams, an initial breach can serve as a starting point for lateral movement within a corporate network. This can escalate the incident from a targeted data theft to a large-scale ransomware attack that could halt business operations.

Underscoring the severity, the US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates that US federal civilian executive branch agencies patch the vulnerability by a specific deadline, serving as a strong directive for private sector organizations to prioritize remediation.

Mitigation and Technical Details

In response to the active exploitation, Microsoft has published detailed guidance with mitigation and detection measures. The primary recommendation is to enable the Antimalware Scan Interface (AMSI) in the SharePoint configuration. This feature is designed to allow applications and services to integrate with any antimalware product present on the machine, providing a layer of defense that can inspect script content before execution.

Activating AMSI, along with solutions like Microsoft Defender for Endpoint, can detect and block malicious activity associated with this exploit. For organizations unable to implement the mitigations immediately, Microsoft suggests disconnecting SharePoint servers exposed to the internet until security patches are available and can be applied.

Technical analyses of the attack indicate that malicious actors are using PowerShell scripts to deliver payloads, specifically malicious ASPX files, to the compromised server. The primary objective is to steal the server's MachineKey configuration, which contains the unique validation and decryption keys for the SharePoint farm.

With these keys, attackers can generate their own valid SharePoint authentication tokens. This allows them to maintain persistent, unauthenticated access to the system to execute commands at will, impersonate any SharePoint user, and potentially decrypt sensitive data and authentication cookies. Observers note that attackers upload a file named 'spinstall0.aspx' as part of the exploitation chain to establish this foothold.

While Microsoft has not publicly attributed the attack to a specific group, the cybersecurity community is actively monitoring the situation. Confirmed victims include major industrial firms, banks, auditors, healthcare companies, and several US state-level and international government entities, reports Reuters. 

This incident occurs as Microsoft is under intense scrutiny for its security posture, following a series of high-profile breaches. These include an attack attributed to China in 2021 that compromised US government email accounts. The company has been taking steps to strengthen its security, but this new SharePoint attack highlights the persistent challenges in protecting complex and widely deployed software infrastructures.