Federal IT asset managers, this is not a drill. A critical zero-day vulnerability in Microsoft SharePoint Server (CVE-2025-53770) is being actively exploited in global cyberattacks, with CISA confirming "active exploitation" enabling unauthorized access to on-premise SharePoint servers. With a CVSS score of 9.8, this represents one of the highest-severity threats your agency faces today.

Eye Security discovered active exploitation on July 18, 2025, describing this as "one of the most rapid transitions from proof-of-concept to mass exploitation in recent memory." The vulnerability, dubbed "ToolShell" by researchers, allows attackers to gain complete remote control over vulnerable SharePoint systems without authentication.

At least 54 organizations have already been compromised, including banks, universities, and government entities. For federal agencies, this poses catastrophic risks to sensitive data, mission-critical operations, and national security infrastructure.

Official NIST Classification: According to the National Vulnerability Database (NVD), CVE-2025-53770 is officially described as: "Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network." Critically, Microsoft confirms that "an exploit for CVE-2025-53770 exists in the wild."

Affected Systems: These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. Specifically vulnerable are:

• Microsoft SharePoint Enterprise Server 2016 (versions prior to 16.0.5508.1000)
• Microsoft SharePoint Enterprise Server 2019 (versions prior to 16.0.10417.20027)
• SharePoint Server Subscription Edition (versions prior to 16.0.18526.20424)

Attack Vector: The vulnerability enables remote code execution through network-based attacks without authentication. Because SharePoint often connects to core services like Outlook, Teams, and OneDrive, a breach can quickly lead to data theft, password harvesting, and lateral movement across the network. The NIST NVD classification confirms this is a deserialization vulnerability, making it particularly dangerous as it can be exploited remotely over the network.

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog and instructed all US federal civilian executive branch (FCEB) agencies to identify potentially affected systems and apply mitigations by July 21. This deadline is TODAY.

1. Emergency Patching: Microsoft has released critical security updates as of July 21, 2025:

• SharePoint Server Subscription Edition: Fixed in build 16.0.18526.20508 (KB5002768)
• SharePoint Server 2019: Fixed in build 16.0.10417.20037 (KB5002754)
• SharePoint Enterprise Server 2016: No patch currently available - follow mitigation steps below immediately

Apply available patches immediately to ensure full protection against CVE-2025-53770 and CVE-2025-53771.

2. Configure AMSI Protection: Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender AV on all SharePoint servers. This provides critical real-time protection against exploitation attempts.

3. Implement Emergency Isolation: If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available.

4. Rotate Security Keys: "After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers." (Microsoft's Customer Guidance for SharePoint Vulnerability)

Federal agencies must implement immediate detection measures:

CISA recommends monitoring for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and conducting scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.

Deploy comprehensive logging and update intrusion prevention systems to identify potential compromise indicators.

The risks of delaying action are severe:

• Data Exfiltration: Complete access to SharePoint content, file systems, and internal configurations
• Lateral Movement: Attackers can pivot to connected Microsoft 365 services
• Mission Disruption: Critical government operations could be compromised
• Regulatory Violations: Non-compliance with CISA directives carries serious consequences
• National Security Impact: Sensitive federal data exposure threatens broader security interests

For comprehensive guidance, federal IT managers should reference:

• National Vulnerability Database (NVD) - CVE-2025-53770
• Microsoft's Customer Guidance for SharePoint Vulnerability
• CISA's Official Alert
• Microsoft's July 8, 2025 security updates:
  • SharePoint Enterprise Server 2016 (KB5002744)
  • SharePoint Server 2019 (KB5002741)
  • SharePoint Server Subscription Edition (KB5002751)

This is a defining moment for federal cybersecurity preparedness. With Microsoft coordinating "closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world," the federal response must be swift and comprehensive.

Your agency's SharePoint infrastructure is under active attack. Every minute of delay increases your exposure to a threat that has already compromised dozens of organizations worldwide.

Implement emergency mitigations immediately, apply patches as soon as they become available, and ensure your incident response teams are prepared for potential compromise. The security of federal operations depends on your immediate action.

The SIE Group specializes in helping federal agencies navigate critical cybersecurity challenges like the SharePoint vulnerability crisis. Our experienced team understands the unique compliance requirements and operational constraints facing government IT departments.

Contact The SIE Group today for:

• Emergency vulnerability assessment and remediation
• Federal IT asset management services
• Cybersecurity compliance guidance
• Strategic technology planning for government operations