TT-CSIRT – 442.20.07.25 – SharePoint Vulnerability
Microsoft has advised of active attacks targeting on-premises SharePoint Server customers, SharePoint Online M365 is not impacted. The attacks are exploiting a variant of CVE-2025-49706 and being assigned CVE-2025-53770 with a patch currently not available.
Currently the Microsoft team is actively working to release a security update and will provide additional details as they are available.
Mitigation
It’s recommended, to customers with SharePoint Subscription edition, security update provided in CVE-2025-53771 should be applied immediately. On-Premise Microsoft SharePoint Server customers must apply the latest security updates (July 2025 Security Update) or upgrade to a support version of Microsoft SharePoint Server.
| Product | KB Article | Security Update | Fixed Build Number |
| Microsoft SharePoint Server 2019 | 5002741 | Security Update | 16.0.10417.20027 |
| Microsoft SharePoint Enterprise Server 2016 | 5002744 | Security Update | 16.0.5508.1000 |
For further protection, Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. If you cannot enable AMSI, it is recommended consider disconnecting your server from the internet until a security update is available.
After applying the latest security updates above or enabling AMSI, it is critical to rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.
Methods:
- Manually via PowerShell
To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet.
- Manually via Central Admin
Trigger the Machine Key Rotation timer job by performing the following steps:- Navigate to the Central Administration site.
- Go to Monitoring -> Review job definition.
- Search for Machine Key Rotation Job and select Run Now.
After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
Detection
It’s recommended to deploy Defender for Endpoint or equivalent solution to detect and block post-exploit activity.
Microsoft Defender Antivirus provides detection and protection against components and behaviors related to this threat under the detection name:
- Exploit:Script/SuspSignoutReq.A
- Trojan:Win32/HijackSharePointServer.A
Microsoft Defender for Endpoint provides alerts that may indicate threat activity associated with this threat with the following alert titles in the Microsoft Defender Security Center portal which indicates threat activity:
- Possible web shell installation
- Possible exploitation of SharePoint server vulnerabilities
- Suspicious IIS worker process behavior
- ‘SuspSignoutReq’ malware was blocked on a SharePoint server
- HijackSharePointServer’ malware was blocked on a SharePoint server
Note: These alerts, however, can be triggered by unrelated threat activity. Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Run query in the Microsoft 365 Defender.
If you have any queries, comments or require assistance, please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt
