.png)
3 months ago
2
| Revision | Change | Date |
| 1.0 | Information published | 07/19/25 |
| 2.0 | Clarified affected SharePoint product in summary | 07/20/25 |
| Added fix availability guidance | ||
Provided additional protections guidance regarding:
|
||
| Updated Microsoft Defender detections and protections section |
||
| Documented additional MDE alerts | ||
| Mapping exposure via Microsoft Defender Vulnerability Management | ||
| Documented CVE-2025-53771 | ||
| 3.0 | Published SharePoint 2019 security update, included links to CVEs and published security updates | |
| 4.0 | Corrected links to security updates and clarified guidance in protection guidance | 07/21/25 |
| 5.0 | Published SharePoint 2016 security updates, added links to SharePoint language packs, and updated customer guidance | 07/21/25 |
| 6.0 | Added link to Threat Intel Blog | 07/22/25 |
| 7.0 | Added Defender detections, minor revisions for clarity or grammar errors | 07/23/25 |
Summary
Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.
Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.
These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.
SharePoint security updates are cumulative. If you are applying the latest security updates linked here, you do not need to apply the earlier updates however both updates for SharePoint 2016 and 2019 provided should be applied.
A Threat Intelligence Blog has been published to provide Threat Actor tactics, techniques, and procedures, Indicators of Compromise, and guidance for threat hunting in your own environment. Disrupting active exploitation of on-premises SharePoint vulnerabilities
To mitigate potential attacks customers should:
- Use supported versions of on-premises SharePoint Server
- Apply the latest security updates linked above.
- Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
- Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
- Rotate SharePoint Server ASP.NET machine keys
Detailed guidance for each step as well as detection, protection, and hunting, is provided below.
How to protect your environment
Customers using SharePoint Subscription Edition, SharePoint 2019, or SharePoint apply the security updates provided in CVE-2025-53770 & CVE-2025-53771 immediately to mitigate the vulnerability.
-
Use or upgrade to supported versions of on-premises Microsoft SharePoint Server
- Supported versions: SharePoint Server 2016, 2019, & SharePoint Subscription Edition
-
Ensure the Antimalware Scan Interface is turned on and configured correctly
Configure Antimalware Scan Interface (AMSI) integration in SharePoint. If HTTP Request Body scanning is available, enable Full Mode which offers the most comprehensive protection and deploy Microsoft Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.
Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
If you cannot enable AMSI, we recommend you consider disconnecting your server from the Internet until you have applied the latest security update linked above. If the server cannot be disconnected from the internet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit unauthenticated traffic.
- Deploy Microsoft Defender for Endpoint, or equivalent solutions
We also recommend you deploy Defender for Endpoint to detect and block post-exploit activity.
- Rotate SharePoint Server ASP.NET machine keys
It is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers after applying the latest security updates above or enabling AMSI. Follow the PowerShell guidance in Improved ASP.NET view state security and key management.
To update the machine keys for a web application using PowerShell:
- Generate the machine key in PowerShell using ‘Set-SPMachineKey -WebApplication <SPWebApplicationPipeBind>’
- Deploy the machine key to the farm in PowerShell using ‘Update-SPMachineKey -WebApplication <SPWebApplicationPipeBind>’
After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.
Microsoft Defender Detections and Protections
Microsoft Defender Antivirus
Microsoft Defender Antivirus provides detection and protection against components and behaviors related to this threat under the detections named:
- Exploit:Script/SuspSignoutReq.A
- Trojan:Win32/HijackSharePointServer.A
- Exploit:Script/SuspSignoutReqBody.A
- Trojan:PowerShell/MachineKeyFinder.DA!amsi
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint provides customers with alerts that may indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity. The following alert titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:
- Possible web shell installation
- Possible exploitation of SharePoint server vulnerabilities
- Suspicious IIS worker process behavior
- IIS worker process loaded suspicious .NET assembly
- ‘SuspSignoutReq’ malware was blocked on a SharePoint server
- ‘HijackSharePointServer’ malware was blocked on a SharePoint server
Mapping Exposure in Microsoft Defender Vulnerability Management
MDVM vulnerability records now include CVSS scores and zero day flags for both vulnerabilities, for all impacted SharePoint versions, including SharePoint Server 2010 & 2013.
Browse to Vulnerability management ▸ Software vulnerabilities and filter by the vulnerability identifiers to view exposed devices, remediation status and Evidence of Exploitation tags.
Unified Advanced Hunting query
Advanced hunting
Additional guidance for threat hunting in your own environment can be found in the in our Threat Intelligence Blog: Disrupting active exploitation of on-premises SharePoint vulnerabilities
The following sample queries let you search for a week’s worth of events. To inspect up to the past 30 days of events in your network and locate potentially related indicators, go to the Advanced Hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.
To locate possible exploitation activity, run the following queries in Microsoft 365 security center.
Successful exploitation via file creation (requires Microsoft 365 Defender)
Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Run query in the Microsoft 365 Defender
Look for process creations where w3wp.exe is spawning encoded PowerShell involving the spinstall0 file or the file paths it’s been known to be written to.
