{"uuid": "7eb6b389-20dd-404f-90c4-314ed370fcc5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Microsoft Sharepoint - Customer guidance for SharePoint vulnerability CVE-2025-53770", "description": "**Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center**\n        \n    \n#### Summary[](#summary)\n\n\nMicrosoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.\n\nSharePoint Online in Microsoft 365 is not impacted.\u00a0\u00a0\n\nA patch is currently not available for this vulnerability. Mitigations and detections are provided below.\n\nOur team is actively working to release a security update and will provide additional details as they are available. \u00a0\n\n#### How to protect your environment[](#how-to-protect-your-environment)\n\nTo protect your on-premises SharePoint Server environment, we recommend customers [configure AMS](https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration)I integration in SharePoint and deploy [Defender AV](https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server) on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability.\n\nAMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For more details on how to enable AMSI integration, [see here](https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration).\n\nIf you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available.\n\nWe also recommend you deploy [Defender for Endpoint](https://learn.microsoft.com/en-us/defender-endpoint/mde-planning-guide) to detect and block post-exploit activity.\n\nWe will continue to provide updates and additional guidance for our customers as they become available.\n\n#### Microsoft Defender Detections and Protections[](#microsoft-defender-detections-and-protections)\n\n\n##### Microsoft Defender Antivirus[](#microsoft-defender-antivirus)\n\n**Microsoft Defender Antivirus** provides detection and protection against components and behaviors related to this threat under the detection name:\n\n*   [Exploit:Script/SuspSignoutReq.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/SuspSignoutReq.A)\n    \n*   [Trojan:Win32/HijackSharePointServer.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackSharePointServer.A&msockid=1a581412ba6b61a33ccd06debbde60b2)\n    \n\n##### Microsoft Defender for Endpoint[](#microsoft-defender-for-endpoint)\n\n**Microsoft Defender for Endpoint** provides customers with alerts that may indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity. The following alert titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:\n\n*   Possible web shell installation\n*   Possible exploitation of SharePoint server vulnerabilities\n*   Suspicious IIS worker process behavior\n*   \u2018SuspSignoutReq\u2019 malware was blocked on a SharePoint server\n*   HijackSharePointServer\u2019 malware was blocked on a SharePoint server\n\n#### Advanced hunting\u00a0\u00a0[](#advanced-hunting)\n\n**NOTE**: The following sample queries let you search for a week\u2019s worth of events. To explore up to 30 days\u2019 worth of raw data to inspect events in your network and locate potential related indicators for more than a week, go to the **Advanced Hunting page** > **Query** tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.\n\nTo locate possible exploitation activity, run the following queries in Microsoft 365 security center.\u00a0\u00a0\n\n**Successful exploitation via file creation (requires Microsoft 365 Defender)**\n\nLook for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. [Run query in the Microsoft 365 Defender](https://security.microsoft.com/v2/advanced-hunting?query=H4sIAC8YfGgAA42RTUvDQBCG37Pgf1g8i7SC3jzUtmLBqjSKFLzUpDQrzQcm-AHib_fZiaGCe5AlzOw7M8_MTiZa61VeKfYCu8VOUdYq1arRvvb0Kac35WgvfI68irzM7rdakZej5ngN9kBzzTTWQjdK9KWhHjkPUM-5T9F7bahTs3eoc0hXGpkftOAvIdyjJDDjc3TzXtO5MOUMdpigUU2sxLbEtpyBjmy-Wu8_tApKjLF7R4yym6SmvtIzNSlxx5zeCF12QfwQdfJrv32PoM_gejK97S902bCBQEyN0fyZ7H9VY_yCsyKWscWQ09XGeLE_GfQFSm0baumZmTayd3rUkrd-EO8YiS6JHeuEv9nvJlR2VKcncmPbcZbRQP0GDl8cmYQCAAA&timeRangeId=week)\u00a0\u00a0\n\n```\nDeviceFileEvents\n| where FolderPath has \"MICROS~1\\\\WEBSER~1\\\\16\\\\TEMPLATE\\\\LAYOUTS\"\n| where FileName =~ \"spinstall0.aspx\"\nor FileName has \"spinstall0\"\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256\n| order by Timestamp desc\n\n```\n", "creation_timestamp": "2025-07-20T06:03:24.883901+00:00", "timestamp": "2025-07-21T13:21:14.230211+00:00", "related_vulnerabilities": ["CVE-2025-53770", "CVE-2025-49706", "NCSC-2025-0233", "CVE-2025-53771"], "meta": [{"ref": ["https://www.circl.lu/pub/tr-95/", "https://research.eye.security/sharepoint-under-siege/"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}