Active Global Attacks Targeting On-premises SharePoint Server (CVE-2025-53770)

msrc.microsoft.com

Active Global Attacks Targeting On-premises SharePoint Server (CVE-2025-53770)

msrc.microsoft.com

mhewitt to

cybersecurity · 6 months ago

Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center

msrc.microsoft.com

Customer guidance for SharePoint vulnerability CVE-2025-53770

IOCs:

107.191.58[.]76
104.238.159[.]149
96.9.125[.]147
Unusual POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
Unusual POSTs to /_layouts/16/ToolPane.aspx?DisplayMode=Edit
spinstall0.aspx in SharePoint Layouts folders

Vulnerabilities:

CVE-2025-53770 (new, no patch as of 2025-07-20)
CVE-2025-49704 (2025-07-08 patch)
CVE-2025-49706 (2025-07-08 patch)

Only mitigations at this time require both SharePoint AMSI integrations to be enabled and Microsoft Defender in Active mode. Other AV is not confirmed.

Also see

You must log in or # to comment.

Chat

cybersecurity

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !cybersecurity@infosec.pub

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

6 users / day
94 users / week
353 users / month
2.05K users / 6 months
899 local subscribers
5.4K subscribers
945 Posts
2.06K Comments
Modlog