SharePoint Vulnerability CVE-2025-53770.

Please see the below guidance from Microsoft regarding SharePoint vulnerability CVE-2025-53770.

The below information was taken directly from Microsoft: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Customer guidance for SharePoint vulnerability CVE-2025-53770:

Revision Change

1.0  on 7/19/25

Information published
Clarified affected SharePoint product in summary
Added fix availability guidance
Provided additional protections guidance regarding

• Upgrade SharePoint products to supported versions (if required)
• Install July 2025 Security Updates
• Rotate machine keys

2.0 on 7/20/25

Updated Microsoft Defender detections and protections section:
Documented additional MDE alerts
Mapping exposure via Microsoft Defender Vulnerability Management
Documented CVE-2025-53771

3.0
Published SharePoint 2019 security update, included links to CVEs and published security updates

Summary

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.

Product Security Update link

PRODUCT: Microsoft SharePoint Server Subscription Edition
Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center

PRODUCT: Microsoft SharePoint Server 2019
Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002754) from Official Microsoft Download Center

PRODUCT: Microsoft SharePoint Server 2016
Not available yet

We are working on security updates for supported versions of SharePoint 2019 and SharePoint 2016.

Please check this blog for updates.

To mitigate potential attacks customers should:
1.   Use supported versions of on-premises SharePoint Server
2.   Apply the latest security updates, including the July 2025 Security Update
3.   Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
4.   Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
5.   Rotate SharePoint Server ASP.NET machine keys
Detailed guidance for each step as well as detection, protection, and hunting, is provided below.

How to protect your environment

Customers using SharePoint Subscription Edition should apply the security update provided in CVE-2025-53771 immediately to mitigate the vulnerability.

Customers using SharePoint 2016 or 2019 should follow the guidance below.

1.  Use or upgrade to supported versions of on-premises Microsoft SharePoint Server

Supported versions: SharePoint Server 2016, 2019, & SharePoint Subscription Edition

2.  Apply the latest security updates
Latest update: July 2025 Security Update

PRODUCT: Microsoft SharePoint Server 2019
KB ARTICLE: 5002741
Security Update Fixed Build Number: Security Update 16.0.10417.20027

PRODUCT: Microsoft SharePoint Enterprise Server 2016
KB ARTICLE: 5002744
Security Update Fixed Build Number: 16.0.5508.1000

1. Ensure the Antimalware Scan Interface is turned on and configured correctly

Configure Antimalware Scan Interface(AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.

Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available.

2. Deploy Microsoft Defender for Endpoint, or equivalent solutions

We also recommend you deploy Defender for Endpoint to detect and block post-exploit activity.

3. Rotate SharePoint Server ASP[.]NET machine keys

After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP[.]NET machine keys and restart IIS on all SharePoint servers.

1. Manually via PowerShellTo update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet.
2. Manually via Central Admin

Trigger the Machine Key Rotation timer job by performing the following steps:

1.   Navigate to the Central Administration site.
2.   Go to Monitoring -> Review job definition.
3.   Search for Machine Key Rotation Job and select Run Now.

After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe. If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.

We will continue to provide updates and additional guidance for our customers as they become available.

Microsoft Defender Detections and Protections

Microsoft Defender Antivirus provides detection and protection against components and behaviors related to this threat under the detection name:

•   Exploit:Script/SuspSignoutReq.A
•   Trojan:Win32/HijackSharePointServer.A

Microsoft Defender for Endpoint provides customers with alerts that may indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity. The following alert titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

•   Possible web shell installation
•   Possible exploitation of SharePoint server vulnerabilities
•   Suspicious IIS worker process behavior
•   IIS worker process loaded suspicious .NET assembly
• ‘SuspSignoutReq’ malware was blocked on a SharePoint server
•  ‘HijackSharePointServer’ malware was blocked on a  SharePoint server

DefenseStorm Response

•  DefenseStorm is recommending everyone who uses Microsoft SharePoint Server to review Microsoft’s advisory and evaluate whether your environment is vulnerable.
If so, apply the recommended mitigations immediately.
•  DefenseStorm always recommends applying any changes in accordance with your existing internal policies and change controls.
• Please bookmark to stay up to date on additional from Microsoft.

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

*For DefenseStorm clients, please refer to the Connect forum for further guidance