Inside the SharePoint Server Exploit and How to Defend Against It
- Kenneth Nguyen
- Jul 25
- 4 min read
Overview
A critical zero-day vulnerability, CVE-2025-53770, has been discovered in Microsoft SharePoint Server. This vulnerability allows authenticated Site Owners to execute arbitrary code and extract sensitive configuration data, including cryptographic MachineKey material. Microsoft has confirmed active exploitation, and CISA has added it to its Known Exploited Vulnerabilities catalog. Over 10,000 organizations are potentially exposed.
What Is CVE-2025-53770?
CVE-2025-53770 is a remote code execution (RCE) vulnerability in SharePoint Server 2019 and Subscription Edition. It enables attackers with Site Owner privileges to send specially crafted API requests that run arbitrary code in the context of the server. This also gives them access to sensitive files and keys such as MachineKey, which can be abused to forge authentication tokens or install persistent backdoors.
Timeline of Events
- July 7, 2025: Exploitation activity detected in the wild
- July 18, 2025: Over 400 servers confirmed compromised
- July 19, 2025: Microsoft publishes public guidance and patches
- July 20, 2025: CISA adds CVE-2025-53770 to KEV catalog
Why It’s So Dangerous
This is not a typical vulnerability. Once the MachineKey is extracted, attackers can impersonate users, bypass authentication, persist after patching, or deploy ransomware. The attack is silent and hard to detect unless proper logging and runtime scanning (via AMSI) are enabled.
Who’s at Risk
Any organization running a self-hosted, unpatched SharePoint Server 2019 or Subscription Edition is at risk, especially if the server is accessible from the internet. The government, defense, education, healthcare, and energy sectors are among the most frequently targeted.
How the Exploit Works
Attackers abuse internal SharePoint APIs available to Site Owners to trigger unsafe deserialization or code execution. Because these roles exist in many enterprise SharePoint environments, the exploit doesn’t require a domain admin, just elevated SharePoint access. The result is code execution on the web front end with server-level privileges.
Mitigation Steps from Microsoft
Apply July 2025 Security Updates
Patch all SharePoint 2019 and Subscription Edition servers using Microsoft’s latest cumulative updates.
Enable AMSI Integration
Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration in SharePoint Server to provide an additional layer of runtime protection. AMSI allows SharePoint to scan content such as web parts and scripts using your antivirus engine before execution.
Configure AMSI using PowerShell:
Enable-SPFeature -Identity 4cf046f3-38c7-495f-a7da-a1292d32e8e9 -Url <web application URL>To activate the body scan mode, execute the following command:
$webAppUrl = "http://spwfe"
$webApp = Get-SPWebApplication -Identity $webAppUrl
$webApp.AMSIBodyScanMode = 1 # 0 = Off, 1 = Balanced, 2 = Full
$webApp.Update() # To save changes
# Iisreset # restarting the IIS service or recycling the app pool may be required when switching modesTo configure the body scan mode to Balanced Mode with specific endpoints, execute the following command:
# Get current list of targeted endpoints
$webApp.AMSITargetedEndpoints
# Add a targeted endpoint
$webApp.AddAMSITargetedEndpoints('/test/page123', 1)
# Get a certain targeted endpoint
$webApp.GetAMSITargetedEndpoint('/test/page123')
# Remove a targeted endpoint
$webApp.RemoveAMSITargetedEndpoints('/test/page123')
# Update the web app object to save changes
$webApp.Update()To configure the body scan mode to Full Mode while excluding endpoints, execute the following command:
# Get current list of excluded endpoints
$webApp.AMSIExcludedEndpoints
# Add an excluded endpoint
$webApp.AddAMSIExcludedEndpoints('/test/page123', 1)
# Get a certain excluded endpoint
$webApp.GetAMSIExcludedEndpoint('/test/page123')
# Remove an excluded endpoint
$webApp.RemoveAMSIExcludedEndpoints('test123456')
# Update the web app object to save changes
$webApp.Update()Remove Internet Access
Microsoft and CISA recommend taking any public-facing SharePoint Server offline if AMSI cannot be enabled or if the server was exposed before patching. Servers should remain disconnected until they are fully patched, reviewed, and confirmed secure.
Conduct Incident Response
If your SharePoint Server was accessible to the internet before patching, Microsoft advises conducting a full investigation. Key steps include:
- Reviewing server logs for signs of suspicious activity (e.g., unexpected POST requests to /_layouts/15/ToolPane.aspx)
- Rotating MachineKey values at least twice after patching
- Rotating SharePoint and SQL-related credentials
- Monitoring for indicators of compromise provided by Microsoft
This guidance is based on Microsoft’s CVE-2025-53770 advisory and CISA’s alert.
Why AMSI Matters
According to Microsoft, AMSI (Antimalware Scan Interface) integration in SharePoint Server provides an additional layer of defense by scanning HTTP and HTTPS requests before they are processed. It allows SharePoint to detect and block potentially malicious content in real time by passing requests to the system’s antimalware engine.
This capability is designed to help prevent exploitation of vulnerabilities that may be triggered by specially crafted inputs, including scripts and API requests. AMSI is particularly important in scenarios where an attacker has authenticated access and is attempting to exploit server-side logic.
Conclusion
CVE-2025-53770 is a wake-up call for all organizations running self-hosted collaboration platforms. SharePoint servers are widely deployed, complex to maintain, and without proper runtime protection, easy to exploit.
Summary:
- CVE-2025-53770 is being actively exploited
- More than 400 servers already compromised
- The attack allows full system control via Site Owner roles
- Patch immediately, rotate keys, and enable AMSI
- If your SharePoint server was public-facing and unpatched before July 20, assume compromise
Additional Information
Comments