Microsoft has patched three important zero-day Sharepoint security flaws that have already been exploited by hackers to attack a large number of weak organizations. Responding to the adventures, the software giant initially released the fix for SharePoint Server Subscription Edition and Sharepoint Server 2019 and then eventually rolled out a patch for Sharepoint Server 2016.
Specified Cve-2025-53771 And Cve-2025-53770The two weaknesses are only applied to the on-rims versions of Sharepoint, so organizations running the cloud-based sharepoint online are unaffected.
Too: I replaced my Microsoft account password with a password – and you also need
As of significant, CVE-2025-53771 is defined as a SharePoint Server Spuling Word, which means that the attackers are capable of implementing reliable and legitimate users or resources in a Sharepoint atmosphere. Rated as important, CVE-2025-53770 is defined as SharePoint Server Remote Code Performance Word. With this type of defect, hackers can run code in a Sharepoint atmosphere from a distance.
“Cve-2025-53770 Gives a Threat Actor the Ability to Remotely Execute Code, Bypassing Identity Protections (Like Single Sign-On and Multi-Factor Authentication), Giving access to content Server Including Configurations and System Files, Opening Up Lateral access across the windows domain, “TREY FORD, Chief Information Security Officer at CRWDSORCED CRWDSORCED CRWDSORECED CORWDSORECED CORWDS Bugcrowd, Told ZDNET.
Together, two flaws allow cyber criminals to establish malicious programs that can compromise a Sharepoint environment – and this is what is happening.
State officials and private researchers told Washington Post that hackers are already Started attacks Against American federal and state agencies, universities, energy companies and others. According to the researchers, the Sharepoint server has been dissolved within at least two American federal agencies. An American state official said that the attackers had “kidnapped” a collection of documents designed to help people understand how their government works, the post said.
Dangerous, even the US National Nuclear Safety Administration was dissolved as a result of SharePoint vulnerability.
Bob Hubber, Chief Security Officer of Cybercity firm Tenble, said, “The recent violation of the systems of several governments including the US National Nuclear Security Administration, arises from a Microsoft vulnerability, is yet another essential reminder of the bet we have faced.” “This is not just about one defect, but how sophisticated actors exploit these openings for a long time.”
Who are the hackers behind the attacks?
On Tuesday, Microsoft Three Chinese nation-state actors convicted – Linen typhoon, violet typhoon, and Storm- 2603- Sharepoint to exploit flamkers.
Active since 2012, linen typhoon specializes in stealing intellectual property. It mainly targets government, defense, strategic scheme and human rights organizations. The group usually depends on exploiting security weaknesses to initiate their attacks.
Too: Microsoft Rolls Windows Safety Changes to prevent another crowdstruk meltdown
Since 2015, in trade, violet typhoon focuses on espionage against several goals against the former government and military personnel, non-governmental organizations, think tanks, higher education, digital and print media, financial businesses and health companies in the US. This group also seeks security weaknesses to exploit.
Microsoft said that the storm is also located in China, but has not yet exposed any links between it and other Chinese hackers. The group has tried to take advantage of Sharepoint weaknesses to steal the Windows machine folder, which stores the cryptographic keys.
“Behind this attack, actor groups with Chinese danger are known to use stolen credibility to establish a backdoor continuously,” Hubber said. “This means that even after the initial vulnerable patch, these attackers can remain hidden inside a network, ready to launch future spy campaigns. As long as an organization sees proof of a new intrusion, the loss has already been done.”
Why did Microsoft allow these flaws to get out of hand?
The company tried to fix both with both the server spuffing vulnerability and remote code execution with its July 8 patch Tuesday update. Cve-2025-49706, Cve-2025-49704And Cve-2025-49701But apparently, Fix did not trick enough, as loving hackers were able to snatch their way around them.
Hopefully, new patch will work this time. In A questionMicrosoft said about its cavalry of cves, “Yes, updates for cve-2025-53770 include stronger security than updates for CVE-2025-49704. The update for Cve-2025-53771 contains strong security for CVE-2025-49706. Is.”
One question is that companies like Microsoft keep highlighting their customers for this type of security flaws. One problem is accompanied by increasing complexity of all different customer environment.
“The patch is rarely wider, and the codebase is complex and the implementation is highly diverse,” Ford said. “This is why those testing harness and regression test processes are so complex. In an ideal world, everyone must be running the latest version of the code, fully patched. Obviously, this is not possible, so convenience development must be tested in a fatally more complex surface area.”
Too: Can’t upgrade your Windows 10 PC? You have 5 options and 3 months to work – before EOS
Before Microsoft rolled out the new patch on Sunday, security firm Eye Safety warned about Sharepoint Dosha in one Research post On Saturday.
“On the evening of July 18, 2025, eye security was the first to identify a large -scale exploitation of a new new.Sharepoint Distance Code ExecutionThe vulnerability series in the wild, “said the firm.” Exhibited A few days ago on xThis exploitation is being used to compromise the Sharepoint server worldwide. Before this vulnerability was widely known last Friday, our team scanned the 8000+ Sharepoint Server.Worldwide. We discovered dozens of systems actively compromising during two waves on 18 July 18:00 UTC on 18:00 UTC and 07:30 UTC on 19 July. ,
Referring to safety defects in the form of toolshell, ophthalmology explained how the SharePoint environment can be compromised through attacks.
Bypassing safety safety, hackers can remotely execute the code, allowing Sharepoint material, system files and access to the configuration. Attackers can also steal cryptographic keys, allowing them to apply users or services even after the server patches. Since Sharepoint connects to other Microsoft services such as Outlook, Teams and ONEDRIVE, hackers can move later to a network to steal affiliated passwords and data.
How to fix security defects
For organizations running the Sharepoint server, Microsoft has underlined the steps to fix the flaws.
Microsoft SharePoint Server Membership Edition, for head This updated page Patch to download and install. For Microsoft Sharepoint Server 2019, browse This updated page To catch the patch. For Microsoft Sharepoint Server 2016, go to This updated page For patch.
Too: How to get free Windows 10 Safety Updates through October 2026: Two methods
How to protect from future attacks
For the protection of your environment, Microsoft advises the following:
- Make sure you are running the supported version of the Sharepoint server.
- Apply the latest security patch, including the July patch Tuesday updates.
- Make sure Windows Antimalware Scan Interface (AMSI) Enabled and is properly set with antivirus products such as defender antivirus.
- Install safety software like Microsoft defender for endpoints.
- Rotate the sharepoint server asp.net machine key.
Too: Microsoft is saving millions with AI and taking thousands of people – where do we go from here?
Ford also gave more advice to organizations with Sharepoint server.
Ford said, “When run their services, ask if they really need to be exposed on the Internet, or accessible to incredible parties,” Ford said. “Reducing your attack surface is always intelligent – reduce the number of hosts and services available to public, incredible users. Add strict, recommended and oppoint safety, such as Microsoft’s AntiMware Scan Interfaces and Defenders, is important for these highly integrated services.”
Get top stories of morning with us in your inbox every day Tech Today Newsletter.
