🔍 What Just Happened

On July 21, 2025, Microsoft confirmed widespread active exploitation of a critical zero-day vulnerability in on-premises SharePoint Server (not affecting SharePoint Online/Microsoft 365). Hackers have leveraged this under-the-radar flaw, CVE‑2025‑53770 (and related CVE‑2025‑53771), to compromise approximately 75 servers, including those at U.S. government agencies and leading companies.

⚠️ Why It Matters

• Remote Code Execution & Spoofing: The attackers gain deep access by impersonating trusted sources, potentially enabling full server takeover.
• High Stakes: Exploits targeting mission-critical infrastructure mean that once accessed, attackers can exfiltrate data, deploy malware, or disrupt services.
• Not Just Theory, It’s Happening: With at least 75 servers confirmed breached, this is no drill.

🛠 What Microsoft Is Doing

• Emergency Patches Issued (July 8, 2025): Security updates released for SharePoint Server 2019 and Subscription Edition under KB5002741, KB5002751, and related KBs.
• Fixes Still Pending: Patches for SharePoint Server 2016 expected soon, as of now, they're unavailable.
• Recommended Defensive Actions:
• Apply patches immediately.
• If patching isn't possible, disconnect vulnerable servers from the internet or enable advanced malware protection.

📅 Timeline of Key Events

• January–May 2025: Microsoft patched several SharePoint vulnerabilities (CVE‑2025‑21344, CVE‑2025‑30382, CVE‑2025‑49701, and others). These included remote code execution (RCE) and spoofing flaws that hinted at deeper risks within on-prem environments.
• July 8, 2025: As part of Patch Tuesday, Microsoft released emergency security updates for SharePoint Server 2019 and Subscription Edition (KB5002741, KB5002751). These updates addressed a newly discovered zero-day vulnerability, CVE‑2025‑53770, being actively exploited in the wild.
• July 21, 2025: Microsoft publicly confirmed that at least 75 servers had been breached using this flaw. The attackers leveraged spoofing to gain deep access, triggering widespread concern in both government and private sectors. A patch for SharePoint Server 2016 is still pending at this time.

✅ Immediate Mitigation Steps

1. Patch Immediately:
2. On‑prem SharePoint 2019: Install KB5002741.
3. Subscription Edition: Install KB5002751.
4. Isolate If You Can’t Patch: Remove public access or enable robust malware scanning.
5. Monitor & Audit: Keep an eye on logs for unusual activity or spoofed traffic.
6. Plan 2016 Update: Track Microsoft’s upcoming 2016 patch and be ready to deploy once available.

🌐 Broader Patch Landscape

July 2025’s Patch Tuesday tackled 132–137 security flaws across Windows, Office, SQL Server, and SharePoint, including another publicly disclosed zero-day in SQL Server (CVE‑2025‑49719). While only one zero-day involved SharePoint this month, the sheer volume and severity of bugs underline the importance of timely patch management.

👨‍💼 Final Take

This isn’t a drill, an actively exploited zero-day in SharePoint Server demands urgent action.

Your top priorities:

• Patch immediately if you're running on-prem SharePoint 2019 or Subscription Edition.
• Isolate vulnerable systems if patching isn’t yet possible.
• Stay alert for forthcoming patches for 2016.

🔒 Thinking Ahead

• Ensure robust change control, backup validation, and incident response readiness.
• Consider internal segmenting of SharePoint servers and stricter access policies.
• Stay informed: This may not be the last critical vulnerability in SharePoint this year.