A significant vulnerability in SharePoint Server, designated CVE-2025-53770, presents a serious risk to various sectors, including government agencies, educational institutions, and energy companies. This flaw, identified by Microsoft, particularly targets on-premises SharePoint Server versions, whereas SharePoint Online and Microsoft 365 remain unaffected. Reports indicate that at least two U.S. federal agencies have already fallen victim to breaches linked to this vulnerability, underscoring its potential for widespread exploitation.
The flaw allows unauthorized remote code execution and access to sensitive SharePoint content and configurations. Exploitations commenced in early July 2025, primarily coordinated by Chinese hacking groups such as Linen Typhoon and Violet Typhoon. U.S. government entities, alongside allies like Canada and Australia, are conducting investigations into these intrusions. The Cybersecurity and Infrastructure Security Agency (CISA) has classified the vulnerabilities associated with this issue as known exploited because of active cyber espionage campaigns targeting vulnerable government systems that are critical to national security. Recent reports indicate that the exploitation of these vulnerabilities has been linked to Chinese nation-state actors. Organizations without proper vulnerability scanning face increased risks of exploitation during this widespread attack campaign.
The flaw enables unauthorized remote code execution, prompting investigations by U.S. and allied nations into ongoing cyber espionage campaigns.
CVE-2025-53770 operates within a broader context of vulnerabilities, forming a chain with CVE-2025-49706 and CVE-2025-49704. This combination allows spoofing and remote code execution, often referred to as “ToolShell.” Such weaknesses permit both unauthenticated and authenticated access, facilitating the deployment of webshells, ransomware components, and full control over internal SharePoint settings. Attackers exploit this access without needing user credentials, representing a severe security weakness.
On July 20, 2025, Microsoft issued an emergency update to address these zero-day exploits. CISA afterwards mandated federal agencies to remediate vulnerabilities quickly by July 23, 2025. Security advisories have emerged from both Microsoft and CISA, emphasizing the importance of immediate patching and cryptographic key rotations.
Incident responders urgently recommend that organizations apply all patches and engage professional incident response teams to mitigate risks effectively. Failure to act could lead to severe repercussions across affected sectors.
