What is CVE-2025-53770? A Critical Microsoft SharePoint Vulnerability and How to Respond

A newly disclosed vulnerability, CVE-2025-53770, is drawing attention from enterprise and government security teams. This critical remote code execution (RCE) vulnerability affects on-premises versions of Microsoft SharePoint Server, giving attackers the potential to run arbitrary code on affected systems.

To be clear: SharePoint Online, part of Microsoft 365, is not affected. This significantly limits exposure for many organizations—but for those still running on-prem SharePoint (typically large enterprises or government agencies), the risk is real and should be addressed promptly.

Why This Vulnerability Stands Out

This is the kind of vulnerability that sophisticated threat actors specialize in. It’s:

• High impact: Attackers can utilize the RCE to steal the server's cryptographic machine keys, giving them persistence even after normal mitigation methods such as rebooting the server. In addition, they can potentially use these keys to pivot laterally to other Microsoft services.
• Easy to identify: It can be fingerprinted and detected with relatively little effort.
• Actively exploited: Reports of real-world exploitation emerged before patch guidance was available.

Initially, mitigation guidance was unclear, adding urgency to the situation. Microsoft released a patch shortly after, but by then, some exploitation had already begun. According to public reports, multiple threat groups (including nation-state actors) have leveraged this vulnerability as a foothold for deeper access, with tactics designed to blend in, persist, and move laterally.

For security researchers: Public proofs of concept are available for CVE-2025-53770.

Immediate Actions for On-Premises SharePoint Users

If you’re running on-premises SharePoint, it’s important to take these steps adapted from Microsoft’s official guidance:

1. Apply Microsoft’s security patch immediately.
2. Ensure the Antimalware Scan Interface (AMSI) is enabled and working with SharePoint Server.
3. Deploy endpoint detection tools, such as Microsoft Defender for Endpoint or a comparable solution.
4. Rotate the ASP.NET machine keys used by SharePoint Server.
5. Conduct threat hunting using Microsoft’s published Indicators of Compromise (IOCs).

A Silver Lining

The good news is that this issue does not impact the cloud-based version of SharePoint, which is much more widely used today. The attack surface is narrower than it might seem at first glance.

However, organizations using the on-premises version—typically Fortune 500 companies or public sector agencies—are also among the most frequently targeted by threat actors.These systems are appealing due to their strategic importance, and attackers aim to use vulnerabilities like this to quietly gain access and expand control.

Lessons Beyond the Patch

This vulnerability underscores a core principle in cybersecurity: you can’t protect what you can’t see. Solutions like bug bounty programs, pentesting, and vulnerability disclosure programs (VDPs) give you methods to spot and eliminate threats like these.

In this case, knowing whether your organization is running an on-premises SharePoint instance is a critical first step, one that’s not always easy to answer without clear asset visibility.

The simplest way to see if you’re affected is through HackerOne’s Spot Checks feature, letting you define parameters for security researchers to take a targeted look into a specific asset or weakness.

For more details, contact HackerOne for support in avoiding critical vulnerabilities like CVE-2025-53770.