Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting. Microsoft Defender for Endpoint generates specific alerts, including “Possible web shell installation,” “Suspicious IIS worker process behavior,” and “SuspSignoutReq malware was blocked on a SharePoint server”. Additionally, deploying Microsoft Defender Antivirus on all SharePoint servers creates an essential security barrier. The attack vectors involve sophisticated techniques that bypass traditional security controls, making immediate patching critical for organizational security. Microsoft has released comprehensive security updates to address these vulnerabilities. The vulnerabilities, assigned as CVE-2025-53770 and CVE-2025-53771, pose immediate risks to organizations running SharePoint infrastructure and require immediate remediation. Microsoft has deployed multiple detection mechanisms through its security ecosystem. The vulnerabilities enable attackers to achieve remote code execution and potentially compromise entire SharePoint environments. Security teams can leverage advanced hunting queries to identify potential compromise indicators across their environment. Apply security updates immediately: KB5002768 (Subscription Edition) or KB5002754 (SharePoint 2019). Active zero-day attacks targeting on-premises SharePoint servers via CVE-2025-53770 and CVE-2025-53771. After key rotation, administrators must restart IIS using iisreset.exe on all SharePoint servers to complete the remediation process.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Jul 2025 07:30:17 +0000