Independent secondary schools are increasingly reliant on digital tools for education,...
A New Threat Targets SharePoint Users
Microsoft has issued an urgent security advisory addressing two critical vulnerabilities in SharePoint Server, identified as CVE-2025-53770 and CVE-2025-53771, which have been actively exploited since July 7, 2025. These zero-day flaws allow attackers to bypass authentication and execute remote code, posing a severe risk to organizations relying on SharePoint for collaboration and data management. The vulnerabilities, discovered by security researcher Nguyen Jang, affect all supported versions of SharePoint Server, including Subscription Edition and 2019. Microsoft’s swift response includes patches to mitigate the threat, but unpatched systems remain highly vulnerable to sophisticated cyberattacks.
How the Vulnerabilities Work
The primary flaw, CVE-2025-53770, is a critical authentication bypass vulnerability with a CVSS score of 9.3, enabling attackers to gain unauthorized access to SharePoint servers. Once inside, attackers can exploit CVE-2025-53771, a remote code execution (RCE) vulnerability, to run malicious code and potentially compromise entire networks. These flaws are particularly dangerous because they allow attackers to forge cryptographic keys, maintaining persistent access even after initial patches are applied. The exploitation campaign, linked to Chinese state-sponsored groups like APT41, has already targeted over 85 servers across 29 organizations, including government and telecom sectors.
Exploitation in the Wild
Since early July, threat actors have weaponized these vulnerabilities to deploy ransomware, such as the Warlock variant, and steal sensitive data. The attacks leverage legitimate tools like PsExec and Mimikatz to maintain persistence, making detection challenging. Microsoft’s advisory confirms that patching alone may not fully remediate compromised systems, as attackers can embed themselves deeply within affected environments. Organizations are urged to apply the latest security updates and conduct thorough forensic investigations to identify and remove any lingering threats.
Microsoft’s Response and Recommendations
Microsoft has released patches for SharePoint Server 2016, 2019, and Subscription Edition, addressing both vulnerabilities. The company advises immediate application of these updates, alongside enabling detailed logging to detect exploitation attempts. Additional recommendations include restricting access to SharePoint servers, monitoring for unusual activity, and implementing multi-factor authentication (MFA) to bolster security. Microsoft also credits Nguyen Jang and the Zero Day Initiative for their role in identifying the flaws, emphasizing the importance of collaborative efforts in cybersecurity.
Protecting Your Organization
This incident highlights the growing sophistication of state-sponsored cyberattacks and the critical need for proactive security measures. Organizations using SharePoint must prioritize patch management and invest in advanced threat detection to counter zero-day exploits. Regular audits of user access, network traffic, and system logs can help identify potential breaches early. As cyber threats evolve, staying ahead requires a combination of timely updates, robust defenses, and vigilance to protect sensitive data and infrastructure from exploitation.
SOURCE: https://cybersecuritynews.com/microsoft-early-alert-sharepoint-vulnerabilities/
