Skip To Content

CRITICAL UPDATE: Microsoft SharePoint Zero-Day CVE-2025-53770 - Emergency Patches Released for All Versions

By Laurie Shrout
July 28, 2025

CRITICAL UPDATE: Microsoft SharePoint Zero-Day CVE-2025-53770 - Emergency Patches Released for All Versions

Federal IT asset managers: Microsoft has released emergency patches for all SharePoint versions, including previously unpatched SharePoint 2016. Chinese nation-state actors continue exploiting CVE-2025-53770 and CVE-2025-53771 in widespread attacks targeting government systems, energy companies, and critical infrastructure.

This update expands on our initial SharePoint CVE-2025-53770 analysis with new threat actor attribution and complete patch availability.

Emergency SharePoint Security Updates Now Available

Microsoft has released comprehensive security updates addressing the critical SharePoint vulnerabilities:

  • SharePoint Server Subscription Edition: Fixed in build 16.0.18526.20508 (KB5002768)
  • SharePoint Server 2019: Fixed in build 16.0.10417.20037 (KB5002754)
  • SharePoint Enterprise Server 2016: Now patched in build 16.0.5513.1001 (KB5002760)

These updates address both CVE-2025-53770 and the newly disclosed CVE-2025-53771, providing complete protection against the "ToolShell" attack chain.

Chinese State Actors Behind Global Campaign

Microsoft's threat intelligence team has identified the threat actors responsible for these attacks:

  • Linen Typhoon and Violet Typhoon (Chinese nation-state actors)
  • Storm-2603 (China-based group deploying Warlock ransomware)

These sophisticated actors have successfully breached US federal and state agencies, energy companies, universities, and international targets across multiple continents.

Scope of Compromise Expands

Recent reporting reveals the attack's devastating scope:

  • 50+ confirmed organizational breaches according to Eye Security
  • Federal and state government agencies compromised
  • Critical infrastructure targets including energy companies
  • International victims spanning Europe and Asia

CISA has confirmed that attackers achieved "full access to SharePoint content, including file systems and internal configurations" in successful breaches.

Critical Warning About AMSI Protection

While Microsoft recommends enabling Antimalware Scan Interface (AMSI) as additional protection, Canada's Cyber Centre warns that "AMSI may not consistently offer comprehensive protection against this form of exploitation, as threat actors frequently adapt their methods to evade detection."

Organizations cannot rely solely on AMSI—immediate patching remains essential.

Immediate Action Required

  • Apply security updates immediately to all SharePoint servers
  • Rotate SharePoint ASP.NET machine keys and restart IIS services
  • Conduct compromise assessments, especially for internet-facing SharePoint instances
  • Monitor for indicators of compromise including the creation of spinstall0.aspx files

Detection and Response Resources

Microsoft provides comprehensive threat hunting guidance in their SharePoint vulnerability blog, including Advanced Hunting queries for Microsoft 365 Defender customers.

The ongoing nature of these attacks and the sophistication of the threat actors involved make this one of the most serious SharePoint vulnerabilities to date. Federal agencies and critical infrastructure operators must treat this as a top-priority security incident requiring immediate remediation.

Need expert SharePoint vulnerability assessment and emergency IT asset management support? Contact The SIE Group for federal-focused cybersecurity solutions.