Emergency Patching of SharePoint Server for Vulnerability CVE-2025-53770

Microsoft has announced a critical security vulnerability affecting SharePoint Server versions 2016, 2019 and Subscription Edition as CVE-2025-53770. SharePoint Online is not affected as it is managed and updated by Microsoft immediately. While this threat primarily impacts public-facing SharePoint servers, I would recommend that all servers of affected versions in the organisation be updated. This vulnerability has been actively exploited in the wild, meaning attackers are already using it to target unpatched systems.

At its core, the issue allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable SharePoint Server. This means an attacker could potentially take control of the server without needing valid credentials or internal network access. Once exploited, the attacker could install malicious software, access sensitive documents, change permissions, or pivot into other parts of the internal network.

For IT managers, even those without deep cybersecurity expertise, it’s essential to understand the potential impact:

• The vulnerability bypasses authentication, meaning attackers do not need a user account to launch the attack.

• Exploitation can lead to full system compromise, putting business data, user credentials, and other connected systems at risk.

• Public-facing SharePoint Servers are especially vulnerable, as they can be scanned and targeted directly from the internet.

Organisations should immediately apply the patch for their version of SharePoint listed in the notice CVE-2025-53770. This is a relatively quick patch to deploy but I would advise to backup your server OS before deploying.

In addition, it is very important to rotate the .Net machine keys on the servers after patching. Part of the exploit allows hackers to steal the cryptgraphic secret keys that are used for authentication. Once an attacker has done this, they may be able to reuse stolen tokens or forge new ones even after the server is patched allowing the continued access to the system. To protect against this, follow the guidance in the Microsoft announcement to replace the machine keys with newly generated random keys.

This vulnerability is serious and demands urgent attention from IT teams. Delaying mitigation could lead to data loss, business disruption, or a costly incident response effort. Taking action now is the best way to protect your organization’s SharePoint infrastructure.