Microsoft has Danny has published detailed security updates and advisory information on the escalated use of serious vulnerabilities in SharePoint Server that affect on-premises deployments. These bugs are called CVE-2025-53770 and CVE-2025-53771, and they allow hackers to execute arbitrary code and authenticated bypass on SharePoint servers via network connection.ย The Microsoft response consists of an immediate security patch, increased detection possibilities, and a comprehensive mitigation strategy.
Critical vulnerabilities: SharePoint servers are under attack
Microsoft has confirmed indications of active exploits that target on-premises SharePoint Server customers and exploit two related vulnerabilities. CVE-2025-53770 according to the Microsoft Security Response Center But according to the Microsoft Security Response Center, CVE-2025-53770 can be used to use malicious code remotely by deserializing untrusted data, whereas CVE-2025-53771 can be used to bypass authentication altogether by doing so.
According to the NCSC, these are the vulnerabilities that impact institutions that deploy Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Notably, SharePoint Online on Microsoft 365 remains unaffected by these vulnerabilities, and it is limited to threats to on-premises installations.
It is in response to this that Microsoft issued wholesome security updates
Microsoft has issued security updates that completely addressed customers using all the supported versions of SharePoint that were affected by both these vulnerabilities. It is stressed that such updates should be installed as soon as possible in order to provide security, because the SharePoint security updates are cumulative.
Further security constructions: Multi-layered security system
Besides spending time on security patching, Microsoft suggests a five-step approach with regard to protection. The NCSC guidance highlights that supported versions of on-premises SharePoint Server, the Anti-malware Scan Interface (AMSI) should be properly configured with appropriate antivirus solutions, including Defender Antivirus.
Microsoft also suggests the deployment of Microsoft Defender Endpoint protection or overall threat remedies to identify and thwart post-exploitation activity. Special notifications such as”Possible web shell installation, “Possible exploitation of SharePoint server vulnerabilities and Suspicious IIS worker process behavior have been added to enhance the detection capabilities of the company.
That is how machine key rotation will add extra security
An important detail of the Microsoft-recommended process is that SharePoint Server ASP.NET machine keys are rotated after administering security updates. The company includes comprehensive PowerShell instructions on updating the machine keys of the web applications, which is then followed by the restart of IIS using iisreset.exe on all SharePoint machines.
Detection and hunting abilities: Threat advanced monitoring
Microsoft has put in place a comprehensive detection mechanism, such as Defender Antivirus, that offers protection against components and behaviors against such threats. The firm has released certain detection identifiers such as ‘Exploit/SuspSignoutReq.A’ and ‘Trojan/HijackSharePointServer.A’.
CVSS scores in the Microsoft Defender Vulnerability Management system, as well as zero-day flags, have also been added to both vulnerabilities and all versions of the affected SharePoint. Complex hunting questions can be downloaded to help organizations search for exploitation activity, such as the detection of successful exploitation based on file creation patterns.
Appeal by the international community: UK bodies are asked to respond promptly
The NCSC has provided urgent guidance in which it advises UK organizations to act now to address these weaknesses. The agency acknowledges that there is active exploitation in the wild with active attacks against on-premises SharePoint Server customers, including those organizations in the United Kingdom.
The response of Microsoft to the April SharePoint vulnerabilities illustrates the use of a multi-pronged approach in mitigating the effects of active compromise through patching, detecting, and providing highly detailed mitigation advice. The company has been working with other global cybersecurity authorities, such as the NCSC, which shows how serious these threats are and how it is crucial to have a coordinated response.