Enginsight recommendations for action
The vulnerability in Microsoft SharePoint servers (CVE-2025-53770), which is classified as critical, is currently being actively exploited. Under certain conditions, it allows attackers to completely compromise affected systems through remote code execution (RCE).
To our knowledge, the following versions of self-operated servers are particularly affected:
SharePoint Server 2019
SharePoint Subscription Edition
SharePoint Server 2016 (still without patch available)
Microsoft and CISA have published corresponding security warnings and urgently advised the immediate installation of provided updates.
General recommendations:
– Immediately install the SharePoint security updates provided.
– Enable AMSI protections and ensure that Microsoft Defender Antivirus/Endpoint is active.
– Rotate sensitive MachineKeys and then restart the affected services (IIS).
– Check your systems for indicators of compromise, especially unusual .aspx files, suspicious POST requests, and system changes.
– Implement forensic measures if necessary and call in support from our security team if necessary.
Our recommendation according to the current state of knowledge
Even after the update is activated, an attack seems to be possible. We recommend taking self-operated servers offline even after the security update has been completed. Since we classify the current vulnerability as very critical, we generally recommend creating an alert for newly emerging critical CVEs from CVSS score 9 onwards. Furthermore, we are already working on the implementation to detect possible attacks via CVE-2025-53770 in the short term. We will keep you informed about corresponding updates as soon as possible.