Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update. These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. Updates for all supported products have been made available.
To fully address the vulnerability, customers should install the out of band update released July 20 (SharePoint 2019 and SharePoint Subscription Edition) and/or July 21 (SharePoint 2016). In cases where the out of band update can’t be installed, we recommend that customers enable AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For more details on how to enable AMSI integration, see here. In addition, Microsoft also recommends rotating SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.
The Microsoft Security Servicing Criteria for Windows webpage describes the criteria the Microsoft Security Response Center (MSRC) uses to determine whether a reported vulnerability affecting up-to-date and currently supported versions of SharePoint Server may be addressed through servicing or in the next version of SharePoint Server.
We encourage our customers to practice industry-standard best practices for security and data protection, including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and passwords. More information on Zero Trust Security is available at https://aka.ms/zerotrust. Additional information is available at https://www.microsoft.com/en-us/security.
References:
- Microsoft Security Response Center blog: Customer guidance for SharePoint vulnerability CVE-2025-53770
- Security Update Guide: CVE-2025-53770 – SharePoint Server Remote Code Execution vulnerability
kurtsh
Kurt Shintaku's Blog 