Dangerous SharePoint on-Prem Security Attacks!

ATTENTION!

Active attacks on SharePoint on-Premise Server customers!

Microsoft issued a warning over the last weekend about two dangerous security vulnerabilities in on-prem instances of SharePoint.

It allows attackers to remotely execute their own code on vulnerable instances.

According to Microsoft, the following versions are affected:

• SharePoint Server 2016, 2019 und die Subscription Edition.
• SharePoint Online seems not be vulnerable as per Microsoft
• What is not documented, however, is the potential risk for SharePoint 2013!

Since it can also be assumed that the attack is also possible on these servers, especially since they are already “out of support” and therefore NO more security patches will be received!,
immediate actions should be taken to cut off these Servers from the Internet, at least temporarily to avoid being compromised either.

Call to Action!

These Updates are already available:

• KB5002768 – for SharePoint Server Subscription Edition

• KB5002754 – for SharePoint Server 2019
  
• Updates for SharePoint Server 2016 are available now!
  See for all download links the following post:
  – Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center

Important Information for SharePoint Server 2019:
Microsoft also published a language specific update that has to be installed as well, to avoid Java Script related rendering issues on Modern UI.

• Language dependent Update: (KB5002753)
  Description of the security update for SharePoint Server 2019 Language Pack: July 21, 2025 (KB5002753) – Microsoft Support

• Language Independent Update: (KB5002754)
  Description of the security update for SharePoint Server 2019: July 21, 2025 (KB5002754) – Microsoft Support

URGENT!

Microsoft also expressly points out that after the update, the ASP.Net “Machine Keys” must be rotated in any case, which is followed by an IIS restart. On the help pages for ToolShell you can find related  Powershell commandlets.

The company Eye Security provides a detailed analysis and timeline in its blog  – according to this, the exploitation of the vulnerability began in the night of July 18 to 19 and dozens of systems have most likely already been compromised since then!

What are the next steps?

• Microsoft has released security updates on July 20th that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771.
  Customers should apply these updates immediately to ensure they’re protected.
  
• SharePoint Administrators are advised to check there SharePoint machines for a file named spinstall0.aspx in the  […\16\TEMPLATE\LAYOUTS] directoryIf this file exists the machines are most likely already affected!
  
• Please read the following blog post from Microsoft Security Response Center for guidance and mitigation and monitor it for further updates:
  Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center

See here also several other published posts related to this vulnerability:

• IMPORTANT: Active attacks targeting on-premises SharePoint Server customers – Stefan Goßner
• CVE-2025-53770 – Security Update Guide – Microsoft – Microsoft SharePoint Server Remote Code Execution Vulnerability
• CVE-2025-53771 – Security Update Guide – Microsoft – Microsoft SharePoint Server Spoofing Vulnerability
• SharePoint Under Attack: Microsoft Warns of Zero-Day Exploited in the Wild – No Patch Available – SecurityWeek
• Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) | CISA

All the best,
Steve