Full Report
Microsoft has issued an urgent patch for most SharePoint servers after cybersecurity researchers found threat actors globally exploiting a zero-day vulnerability in the products.
Analysis Summary
# Vulnerability: Zero-Day Remote Code Execution in On-Premise SharePoint Leading to Crypto Key Theft
## CVE Details
- CVE ID: CVE-2025-53770 and CVE-2025-53771
- CVSS Score: [Score not explicitly stated, but treated as High/Critical due to RCE and active exploitation] (Critical/High)
- CWE: Remote Code Execution (Inferred)
## Affected Systems
- Products: Microsoft SharePoint (On-Premise Deployments)
- Versions: SharePoint 2016 edition is mentioned separately regarding patching; implied that other on-prem versions are affected by CVE-2025-53770. Cloud environments are stated as **unaffected**.
- Configurations: SharePoint servers exposed to the internet.
## Vulnerability Description
CVE-2025-53770 is a remote code execution (RCE) vulnerability affecting on-premise SharePoint servers. Threat actors are actively exploiting this flaw to bypass identity controls (including MFA and SSO), gain privileged access, exfiltrate sensitive data, deploy persistent backdoors, and, critically, compromise and steal the system's internal cryptographic keys. This key compromise allows persistent access even after an initial patch is applied. CVE-2025-53771 is a less critical vulnerability patched concurrently.
## Exploitation
- Status: **Exploited in the wild** (Widespread, mass exploitation observed globally, impacting governments and enterprises).
- Complexity: [Inferred Low/Medium] (Remote exploitation bypassing strong controls like MFA suggests high exploitability).
- Attack Vector: Network (Requires internet exposure of the SharePoint server).
## Impact
- Confidentiality: High (Data exfiltration, access to sensitive keys)
- Integrity: High (Deployment of persistent backdoors)
- Availability: Medium/High (System compromise necessitates complex remediation)
## Remediation
### Patches
- A security update covering both CVE-2025-53770 and CVE-2025-53771 was released early Monday morning for SharePoint (excluding the 2016 edition).
- **Action Required for SharePoint 2016:** Apply the necessary patch/guidance (implied, as the general update excluded 2016).
### Workarounds
- Immediately reconfigure affected systems or **disconnect SharePoint from the internet** until a patch is available and applied.
- **Assumption of Compromise & Post-Patch Remediation:** Due to cryptographic key theft, organizations must assume compromise has occurred even if patched.
## Detection
- Indicators of Compromise: Evidence of privileged access bypassing MFA/SSO, data exfiltration, and deployment of persistent backdoors.
- Detection Methods and Tools: Immediate investigation required post-patching to determine prior compromise via credential dumping or backdoor presence. Focus on identifying stolen cryptographic keys.
## References
- [Vendor Advisory/Guidance (MSRC)](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)
- [CISA KEV Listing](https://www.cisa.gov/news-events/alerts/2025/07/21/cisa-adds-microsoft-sharepoint-vulnerability-known-exploited-vulnerabilities-catalog) (Inferred location for KEV listing)
- [Eye Security Report](https://research.eye.security/sharepoint-under-siege/)