Threat Report

CVE-2025-53770 and CVE-2025-53771: Actively Exploited SharePoint Vulnerabilities A critical threat report published by AlienVault on 2025-07-22T09:04:10.561Z detailing two actively exploited vulnerabilities in Microsoft SharePoint Servers.

Threat Overview

The threat report highlights two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, affecting Microsoft SharePoint Servers. These vulnerabilities allow attackers to upload malicious files and extract cryptographic secrets. The flaws are evolutions of previously patched vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which were incompletely remediated. Exploit attempts have been observed across various industries, including finance, education, energy, and healthcare. Microsoft has released patches for SharePoint Subscription Edition and Server 2019, with a patch for Server 2016 pending. The vulnerabilities enable unauthenticated remote code execution through advanced deserialization techniques and ViewState abuse. Active exploitation in the wild has been confirmed, compromising on-premises SharePoint environments globally.

Detailed Analysis

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 are significant threats to organizations using Microsoft SharePoint Servers. These flaws allow attackers to execute remote code on affected systems without authentication, leveraging advanced deserialization techniques and ViewState abuse. The vulnerabilities are particularly dangerous because they are evolutions of previously patched issues, indicating that the initial fixes were not comprehensive enough to prevent further exploitation.

The impact of these vulnerabilities is far-reaching, with exploit attempts observed in multiple industries. Finance, education, energy, and healthcare sectors have all reported attempted or successful exploits. This widespread targeting underscores the need for immediate action by affected organizations to apply the necessary patches and implement additional security measures.

Microsoft has responded by releasing patches for SharePoint Subscription Edition and Server 2019. However, a patch for Server 2016 is still pending, leaving some environments vulnerable until an update is available. Organizations using SharePoint Server 2016 should closely monitor Microsoft’s updates and apply the patch as soon as it becomes available.

The active exploitation of these vulnerabilities in the wild confirms that threat actors are actively seeking to compromise on-premises SharePoint environments. The use of advanced deserialization techniques and ViewState abuse suggests a high level of sophistication among the attackers, making detection and mitigation more challenging.

Operational Security Measures

The operational security measures implemented by the attackers include the use of advanced deserialization techniques and ViewState abuse. These methods allow for unauthenticated remote code execution, making it difficult for traditional security tools to detect and mitigate the threats. The evolution of these vulnerabilities from previously patched issues also indicates that the attackers have a deep understanding of the SharePoint environment and are capable of finding new ways to exploit known flaws.

The widespread targeting of various industries suggests that the attackers may be using automated tools or scripts to scan for vulnerable SharePoint servers. This approach allows them to quickly identify potential targets and launch exploits with minimal effort.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by these vulnerabilities:

• Immediate Patching: Apply the patches released by Microsoft for SharePoint Subscription Edition and Server 2019 as soon as possible. Monitor for the release of a patch for Server 2016 and apply it immediately upon availability.
• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. Regular updates help address known vulnerabilities that can be exploited by malware like SHOE RACK.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to these SharePoint vulnerabilities and other sophisticated cyber threats.