Microsoft Zero-Day in SharePoint Triggers Global Attacks

Microsoft has issued emergency security updates and detection tools following active exploitation of a Microsoft Zero-Day in SharePoint. Attackers are targeting two vulnerabilities, CVE-2025-53770 and CVE-2025-53771, affecting on-premises SharePoint servers worldwide. Since July 18, threat actors have compromised dozens of organizations, including U.S. federal agencies, universities, and energy firms.

The Microsoft Zero-Day in SharePoint enables unauthenticated remote code execution and authentication bypass through manipulated HTTP headers. Security teams have observed attackers uploading rogue ASPX files to extract cryptographic keys and maintain persistent access. Microsoft released patches for SharePoint Server Subscription Edition and 2019, while SharePoint Server 2016 remains without a full fix.

CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog and directed federal agencies to act within 24 hours. Microsoft also published threat hunting queries to help defenders detect exploitation attempts and process abuse. Organizations should apply patches, rotate server keys, and enable AMSI.

Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day