Skip to content
All about finance.

Microsoft issue alert on ongoing cyber assaults on their government and corporate server technology, with one cybersecurity professional advising that entities should consider themselves already breached

Authorities are actively investigating the matter.

 and  Administrator
3 min read
Cyber threats are striking Microsoft's enterprise and government server technology, according to a...
Cyber threats are striking Microsoft's enterprise and government server technology, according to a warning. One cybersecurity authority advises that companies should presume they've been breached due to these ongoing attacks.

Microsoft issue alert on ongoing cyber assaults on their government and corporate server technology, with one cybersecurity professional advising that entities should consider themselves already breached

In a significant cybersecurity alert, ongoing attacks are targeting on-premises Microsoft SharePoint Server customers, exploiting two critical vulnerabilities: CVE-2025-53770 and CVE-2025-53771. These vulnerabilities enable unauthenticated remote code execution via deserialization of untrusted data in SharePoint Server, allowing attackers to execute malicious commands over the network without prior authentication.

The vulnerabilities, described as a variant of a previously patched vulnerability CVE-2025-49704, pose a severe threat. CVE-2025-53770, a critical zero-day flaw with a CVSS score of 9.8, allows attackers to abuse SharePoint's handling of serialized objects, running arbitrary code remotely and forging trusted payloads using stolen machine keys to maintain persistence or move laterally inside compromised networks.

CVE-2025-53771, which appears related, is addressed together with CVE-2025-53770 in Microsoft’s security updates. Both vulnerabilities apply only to on-premises SharePoint Server versions, with Microsoft 365’s SharePoint Online remaining unaffected.

The exploitation campaign has already breached over 75 organizations, including U.S. federal and state agencies, universities, and energy companies, raising concerns about espionage and widespread network compromise.

To mitigate the risk, Microsoft has released emergency cumulative security updates for all supported affected SharePoint Server versions. Applying these updates immediately is essential to block active exploitation. Organizations should also rotate their SharePoint Server ASP.NET machine keys to prevent attackers from using stolen keys to maintain access.

Additional recommended defenses include deploying Microsoft Defender for Endpoint or equivalent endpoint protection, enabling and properly configuring Antimalware Scan Interface (AMSI) with antivirus solutions, and monitoring for Indicators of Compromise detailed in Microsoft’s threat intelligence blog.

The Cybersecurity & Infrastructure Security Agency (CISA) has issued alerts confirming the active exploitation and urges organizations to apply the patches and follow mitigation steps promptly.

This development underscores the urgency for on-premises SharePoint Server administrators to patch immediately and enhance detection and response capabilities. If your SharePoint on-premises is exposed to the internet, it's assumed that you have been compromised, and patching alone may not fully evict the threat.

Microsoft, the FBI, and various federal and private-sector partners, including CISA, DoD Cyber Defense Command, and key cybersecurity partners, are working on the issue. SharePoint, a server-based content and document management system used for organizations' internal websites, social media, documentation, etc., is used by many big organizations and governments, including in the US.

Customers using SharePoint 2016 or 2019 should upgrade and then apply the update. Microsoft has issued an update to fix these vulnerabilities, and customers using SharePoint Subscription Edition should apply the security update provided in CVE-2025-53771 immediately.

Recent cybersecurity threat research by Palo Alto Networks Unit 42 has revealed that attackers are bypassing identity controls, exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. If exploited, these vulnerabilities allow an attacker to execute code over a network or perform spoofing over a network.

In conclusion, the active attacks exploiting CVE-2025-53770 and CVE-2025-53771 underscore the importance of prompt patching and robust cybersecurity measures for on-premises SharePoint Server administrators.

  1. The ongoing attacks targeting on-premises Microsoft SharePoint Server customers are particularly concerning because they exploit critical vulnerabilities like CVE-2025-53770 and CVE-2025-53771.
  2. These vulnerabilities enable unauthenticated remote code execution via deserialization of untrusted data, allowing attackers to execute malicious commands over the network without prior authentication.
  3. Organizations using SharePoint 2016 or 2019 should upgrade and then apply the update, and those using SharePoint Subscription Edition should apply the security update provided in CVE-2025-53771 immediately.
  4. In the context of the current cybersecurity landscape, promoting financial responsible practices and maintaining robust cybersecurity measures, such as deploying Microsoft Defender for Endpoint, enabling Antimalware Scan Interface with antivirus solutions, and monitoring for Indicators of Compromise, are essential to protect our economy and national security.

Read also:

    Related

    Latest