Microsoft patches under-attack SharePoint 2019 and SE
- Reference: 1753092192
- News link: https://www.theregister.co.uk/2025/07/21/underattack_sharepoint_2019_and_se/
- Source link:
If AMSI can't be enabled, Microsoft's advice is blunt: "We recommend you consider disconnecting your server from the internet until a security update is available
The fixes are related to [1]CVE-2025-53770 , a remote code execution vulnerability, and [2]CVE-2025-53771 , a path traversal vulnerability.
Microsoft has [3]advised administrators of on-premises SharePoint Server 2019 and SharePoint Server Subscription Edition to apply the fixes immediately. SharePoint Server 2016 is also affected, but has yet to receive its fixes. At the time of writing, Microsoft said it was "actively working on updates."
The company has not elaborated on why the security patches issued earlier in July only "partially addressed" the issues. As previously [4]reported , SharePoint Online is not affected. It appears that attackers were able to bypass Microsoft's July fix, resulting in the discovery of two new zero-day vulnerabilities.
As well as instructing administrators to ensure their servers are up to date and patched, Microsoft has also said that the Antimalware Scan Interface (AMSI) integration in SharePoint should be set to Full Mode and that admins should deploy Defender Antivirus to all SharePoint Servers to "stop unauthenticated attackers from exploiting this vulnerability."
[5]
AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016 / 2019, as well as the 23H2 update for SharePoint Server Subscription Edition.
[6]Remember it'll cost ya to keep the lights on for Windows 10
[7]Microsoft patches failed to fix on-prem SharePoint, which is now under zero-day attack
[8]Microsoft offers EU cloud providers fresh commercial terms, staves off risk of litigation
[9]Microsoft's on-prem Exchange and Skype for Business Server go subscription-only
However, if AMSI can't be enabled, Microsoft's advice is blunt: "We recommend you consider disconnecting your server from the internet until a security update is available."
As vulnerabilities go, this is a particularly bad one. If an attacker were able to gain access to an organization's SharePoint, then there is a very good chance that, due to the interconnected nature of the service, they will also be able to access other data. In addition, simply installing the patches (currently only for SharePoint Server 2019 and Subscription Edition) won't necessarily solve the problem; hence, the instruction to "Rotate SharePoint Server ASP.NET machine keys."
[10]
Talking to [11]Forbes , Michael Sikorski, head of threat intelligence for Unit 42 at Palo Alto Networks, said, "If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point." ®
Get our [12]Tech Resources
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
[3] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
[4] https://www.theregister.com/2025/07/21/infosec_in_brief/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aH5kCkiyJ454_g1pLi5ZIwAAAUY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.theregister.com/2025/02/05/windows_10_esu_program/
[7] https://www.theregister.com/2025/07/21/infosec_in_brief/
[8] https://www.theregister.com/2025/07/11/microsoft_offers_eu_cloud_providers/
[9] https://www.theregister.com/2025/07/02/exchange_skype_subscription_versions/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH5kCkiyJ454_g1pLi5ZIwAAAUY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.forbes.com/sites/daveywinder/2025/07/21/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/
[12] https://whitepapers.theregister.com/
There are models of car that have been very publicly vulnerable to USB/Bluetooth attacks to the point that the criminal fraternity targetted them explicitly and insurers started to refuse insurance for them.
Doesn't make either situation any better, but modern life apparently now means "we don't give a damn, you've already paid us".
Ah, so you haven't owned a Kia, then...
Ah, SharePoint
My upper management had a "joint" conference in which they all smoked the SharePoint-flavored weed.
From then on, it was mandated that all technical docs be entered into our new SharePoint system. After a year and a half of various SharePoint-related troubles, people started going back to creating/using server-shared docs, management ignored their own mandate, and bumbled their way toward The Next Cool Thing.
I have to ask myself
I'm hearing China is the big aggressor here, not a surprise. They have become increasingly more and more aggressive with their criminal activity. I have to ask myself tho, who's the bigger aggressor? China for their underhanded, spying thievery, or microsoft for stealing all your data and putting on the web to train their AI without a care.
can someone please....
shoot the bloody thing and bury it. I can't believe this POS I still lumbering about networks in 2025.
Imagine a car manufacturer saying
"If you own a assume anyone can open any of the doors at any time. Do not leave your cat unattended."