Microsoft SharePoint, one of the world’s most widely used collaboration tools, is under active cyberattack. A newly discovered zero-day vulnerability is being exploited by threat actors, allowing them to gain unauthenticated access to on-premises SharePoint servers. Thousands of organisations are believed to be at risk.
If your company runs SharePoint Server 2016, 2019, or the Subscription Edition, this is happening now and the consequences could be devastating.
This blog will break down what’s happening, how it impacts your business, and what urgent steps you need to take now, including how Mexa Solutions can help strengthen your cybersecurity hiring to protect against future breaches.
Microsoft SharePoint Zero-day Breach Is The Latest Security Vulnerability
It’s been a chaotic few weeks in cyber security. Amazon recently warned 220 million customers of widespread Prime account targeting, and viral claims of a mass Ring doorbell breach took social media by storm. While the Amazon situation can be handled with basic security hygiene, and the Ring claims appear to be exaggerated, the same can’t be said for CVE-2025-53770.
This is a confirmed, high-impact attack against on-premises SharePoint Server customers. According to researchers at Eye Security, the breach is already in global circulation, and Microsoft has admitted that it is “aware of active attacks” and that “a patch is currently not available” for some affected versions.
Active Exploitation Confirmed by CISA
On Sunday night, Microsoft issued an urgent alert confirming exploitation in the wild. The company released fixes for both the versions, but one legacy 2016 edition remains unpatched as engineers continue work on a security update.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a national alert, warning that attackers can use the flaw to gain unauthenticated system access and execute code remotely. That means full content access and no passwords required.
“This vulnerability poses a risk to organisations,” CISA warned.
Scope of the Breach and Global Impact
Security firms have reported that thousands of organisations across sectors have likely been affected. Many researchers in the sector have described the situation as “a serious threat” that is spreading globally.
Eye Security also revealed that even patched systems may still be vulnerable to impersonation attacks, due to how SharePoint integrates with other services like Outlook and Teams. Once compromised, attackers can move laterally through an organisation’s digital infrastructure, harvesting credentials and accessing sensitive data.
This is active breach campaign.
What You Need to Know Now
Here are the critical facts that every IT and security team should understand:
- Exploit Type: Remote Code Execution (RCE) via improper validation of ASP.NET machine keys
- Primary Target: Unpatched, internet-facing on-premises SharePoint Server installations
- Current Status: partial patches have been released with some versions remain vulnerable
- Risk Level: High with potential for data breaches, impersonation, and operational disruption
The Urgency Behind it
Microsoft said it is “aware of active attacks targeting on-premises SharePoint Server customers” and is urging all users to patch immediately. With millions of users on SharePoint worldwide, this could have wide-reaching implications for supply chains, public sectors, financial institutions, and education providers.
Even a single vulnerable server can provide hackers with an entry point to exploit Microsoft systems and its users.
How Microsoft Is Responding
Microsoft has now released a patch for CVE-2025-53770, and issued detailed guidance for SharePoint vulnerability mitigation. The company says it is working on a fix for older SharePoint versions that remain unsupported but still in use.
The CISA is also monitoring the situation, recommending that all federal agencies apply the security update for SharePoint Server immediately.
If you’re a customer using SharePoint Subscription Edition and SharePoint 2019, Microsoft Defender AV should be actively running.
Guidance For SharePoint Vulnerability cve-2025-53770
If you haven’t already taken action, these are the most urgent steps from Microsoft your team should follow to reduce exposure, block active exploits, and regain control of your SharePoint environment:
1. Install The July Security Update For SharePoint Server
Installing the latest security update is a critical first step and is emphasised by Microsoft as essential for SharePoint Server 2019 and Subscription Edition. A fix for SharePoint 2016 is pending as of July 21, 2025, but updates should be applied as soon as they become available.
2. Disable Internet Exposure For SharePoint If Not Absolutely Required
Experts recommend removing unnecessary internet exposure for SharePoint servers, especially if AMSI (Antimalware Scan Interface) cannot be enabled. Actively exploited servers are being targeted via internet-facing endpoints, so this is a vital mitigation step.
3. Confirm ASP.NET Machine Key Integrity
Rotating and verifying the SharePoint Server ASP.NET machine key is specifically called out by Microsoft to prevent spoofing and impersonation in recent advisories.
4. Run Microsoft Defender Antivirus On All SharePoint Servers
Microsoft explicitly states Defender Antivirus (and enabling AMSI integration at Full Mode) is required on all SharePoint servers for detection and blocking of active exploits.
5. Enable Full Logging And Audit Access
Full logging and comprehensive audit trails are critical for detecting impersonation, privilege escalations, and misuse. Microsoft emphasiSes monitoring for abnormal admin or credential activity as ongoing attacks continue.
6. Segment Your Network
Network segmentation is considered a core SharePoint security practice; servers should be firewalled from other critical infrastructure to contain compromise and prevent lateral movement, as reinforced in both Microsoft and industry best practice documents.
7. Check Microsoft’s Official Guidance
Referring readers to official Microsoft guidance (e.g. CVE-2025-53770 security advisories) for the most current, actionable steps ensures ongoing protection as guidance and patches are updated.
How Mexa Solutions Helps Secure Your Future
Finding the right cybersecurity talent, especially during a crisis, isn’t easy. That’s where Mexa Solutions comes in.
As a specialist in tech and it security recruitment, we:
- Match companies with vetted cybersecurity professionals
- Help businesses scale quickly in high-pressure situations
- Provide access to exclusive roles in the SharePoint, Microsoft 365, and cloud security sectors
If your business is looking to hire Incident Response, SOC Analysts, or Security Engineers with SharePoint experience, our team has deep industry connections to find talent fast.
Looking for your next opportunity in cyber security? Whether you’re skilled in Microsoft Defender, updates for SharePoint Server, or protecting on-premises SharePoint environments, Mexa Solutions can help you land roles that matter.
Don’t Wait For A Breach
The attacks on on-premises SharePoint Server environments aren’t hypothetical; they are active, global, and growing by the day. Cybercriminals are moving fast, exploiting gaps in systems that haven’t yet been secured.
Delaying action is not an option.
If your organisation is running Microsoft SharePoint Server, especially SharePoint 2016, SharePoint 2019, or the Subscription Edition, now is the time to act. Apply the latest security update, validate your ASP.NET machine key settings, and ensure you have real-time threat monitoring in place.
Need to reinforce your cybersecurity capabilities? Mexa Solutions specialises in connecting organisations with experts in SharePoint security, Microsoft 365, and beyond. We help you build the team you need before threats become breaches.
Frequently Asked Questions (FAQs) About SharePoint Security
Is SharePoint Online in Microsoft 365 affected by these attacks?
So far, attacks have mainly targeted on-premise SharePoint servers. SharePoint Online in Microsoft 365 benefits from Microsoft’s cloud-based security infrastructure and regular automatic updates, making it less susceptible to these specific vulnerabilities.
Are government agencies particularly at risk with SharePoint servers?
Government agencies often use on-premise SharePoint servers to manage sensitive information. As these environments are attractive targets for cybercriminals, agencies are urged to apply security updates promptly and follow recommended cybersecurity practices to protect SharePoint content from breaches.
What is SharePoint Server Subscription Edition?
It’s the latest on-premises SharePoint version with ongoing updates delivered through a subscription model.
This blog was written by Simon Bath, Director and Founder of Mexa Solutions.