Critical vulnerabilities were exploited in some on-premises Microsoft SharePoint installations over the weekend.
Ronen Ahdut, head of CyOps MDR at Cynet Security, explained that there were two vulnerabilities involved: CVE-2025-53770 and CVE-2025-53771.
CVE-2025-53770 relates to deserialization of untrusted data, and can be remotely exploited without authentication. CVE-2025-53771 relates to improper input validation, and enables a threat actor to place a web shell in a web-accessible folder in the SharePoint server.
The former has a CVSS score of 9.8 (critical), while the latter has a CVSS score of 7.1 (medium), but Microsoft has confirmed that both were actively exploited and both are high-priority issues for companies to address, Ahdut said. Microsoft SharePoint Online was not impacted by the vulnerabilities.
Microsoft’s security research team revealed that the vulnerability was exploited by two Chinese nation-state actors and one China-based threat actor. According to Reuters, around 400 customers were victims of the exploits.
Microsoft has released security updates that fully protect against both vulnerabilities so anyone running SharePoint on-premises should apply the patch as soon as possible.
Other guidance that Microsoft and CISA have advised include enabling AMSI integration with Microsoft Defender across all SharePoint servers, taking servers offline if AMSI can’t be enabled, rotating SharePoint Server ASP.NET machine keys, and monitoring Microsoft’s Update Guide for ongoing patches.
According to Rik Ferguson, VP of security intelligence at Forescout, this vulnerability is an example of what can happen when legacy trust models are still used. He says that an authenticated user should never be treated as a guaranteed safe entity.
“For CISOs, this highlights a critical point,” he said. “If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess. Zero Trust is not a buzzword. It is a necessity. Security must begin from the premise that every user and every device is untrusted until verified continuously. You need segmentation that limits lateral movement and monitoring that can flag even subtle deviations from expected behaviour. Because attackers are not just getting in. They are already inside. The question is how far they can go once they are there.”
