Agencies confront strict deadline for addressing SharePoint security weakness
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, is actively being exploited in large-scale attacks. This flaw allows unauthorized remote code execution via deserialization of untrusted data, even before authentication is required, enabling attackers to execute commands, persist, and move laterally within compromised networks.
Threat actors exploiting this zero-day include multiple China-backed hacking groups, such as 'Linen Typhoon', 'Violet Typhoon', and 'Storm-2603', which have been exploiting the vulnerability since at least early July 2025. These groups focus on intellectual property theft, espionage, and potentially ransomware attacks.
The vulnerability poses a significant risk to federal agencies due to the sensitive data SharePoint often holds and the sophisticated tactics used to evade detection by blending malicious activity with legitimate SharePoint operations. Threat intelligence analysts have seen hackers using the SharePoint vulnerability to steal cryptographic keys from victim servers.
As of late July 2025, Microsoft has not yet released a full patch for CVE-2025-53770 but is preparing and fully testing a comprehensive fix, expected soon. In the meantime, Microsoft strongly recommends heightened endpoint detection and response capabilities to monitor and identify suspicious activity related to SharePoint, due to the stealthy nature of the attacks.
Organizations are urged to reduce their attack surface by limiting exposure of SharePoint servers to untrusted networks and applying available mitigations from Microsoft’s advisory, pending the official patch. The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action.
Charles Carmakal, senior vice president of Mandiant, stated that this isn't an "apply the patch and you're done" situation, and organizations need to implement mitigations right away, assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions. Michael Sikorski from Unit 42 echoes this sentiment, urging organizations running on-prem SharePoint to take immediate action, apply all relevant patches, rotate all cryptographic material, and engage professional incident response.
On Monday, Microsoft released emergency patches for the critical zero-day vulnerability in SharePoint software. The scope and impact of the remote code execution vulnerability are still being assessed, but Unit 42's telemetry confirms that government entities globally have been impacted by the exploitation of the SharePoint vulnerability.
Given the ongoing exploitation and pending patch, federal agencies should prioritize immediate risk assessment of on-premises SharePoint deployments, deployment of advanced monitoring tools for suspicious deserialization and lateral movement, application of any interim mitigations Microsoft has published, and preparation for rapid patch deployment once the official fix is released.
- The reimagined workforce, especially those within the federal workforce, should prioritize addressing the critical zero-day vulnerability in Microsoft SharePoint, as it is currently being exploited and poses a significant risk to sensitive data.
- With the ongoing exploitation of the SharePoint vulnerability ('CVE-2025-53770'), federal agencies, as well as other organizations, should focus on data-and-cloud-computing security, implementing cybersecurity measures such as endpoint detection and response capabilities to monitor and identify suspicious activity.
- In light of the urgent need for increased security, the federal workforce should make cybersecurity a top priority in the general-news circuit, especially in the context of crime-and-justice, as ongoing exploitation of the zero-day vulnerability could potentially lead to data breaches and potential theft of sensitive information.
