Microsoft SharePoint Server 0-Day RCE Actively Exploited, CISA Issues Urgent Warning

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability in Microsoft SharePoint Server that is being actively exploited by attackers in the wild.

The vulnerability, tracked as CVE-2025-53770, allows unauthorized remote code execution through deserialization of untrusted data, posing significant risks to organizations running on-premises SharePoint deployments.

Microsoft SharePoint Server contains a dangerous deserialization of untrusted data vulnerability that could allow unauthorized attackers to execute arbitrary code remotely over network connections.

The vulnerability, classified under CWE-502 (Deserialization of Untrusted Data), affects on-premises SharePoint Server installations and represents a serious threat to enterprise infrastructure.

Deserialization vulnerabilities are particularly concerning because they can allow attackers to manipulate serialized data objects, potentially leading to complete system compromise.

When untrusted data is deserialized without proper validation, malicious actors can craft specially designed payloads that execute arbitrary code with the privileges of the affected application.

In SharePoint’s case, this could grant attackers significant access to corporate data, user information, and internal network resources.

The active exploitation of this vulnerability in the wild makes it especially urgent for organizations to take immediate protective measures, as threat actors are already leveraging this vulnerability to compromise SharePoint environments.

Microsoft SharePoint Server 0-Day

In response to the active exploitation, CISA has issued specific recommendations for organizations to protect their SharePoint deployments.

The agency strongly recommends configuring Antimalware Scan Interface (AMSI) integration in SharePoint environments and deploying Microsoft Defender Antivirus on all SharePoint servers as primary defensive measures.

AMSI integration provides an additional layer of security by enabling antimalware solutions to scan content and scripts processed by SharePoint, potentially detecting and blocking malicious payloads before they can execute.

Coupling this with Defender AV deployment across SharePoint infrastructure creates a more robust defense against exploitation attempts.

For organizations unable to implement AMSI integration immediately, CISA has issued more drastic guidance: disconnect public-facing SharePoint products from internet service until official mitigations become available.

This recommendation underscores the severity of the threat and the urgent need for protective action.

Ongoing Threat Assessment

Organizations must follow applicable Binding Operational Directive (BOD) 22-01 guidance, which mandates federal agencies to remediate known exploited vulnerabilities within specified timeframes.

For cloud services, specific BOD 22-01 protocols apply, while organizations should discontinue product use if effective mitigations remain unavailable.

Currently, it remains unknown whether this vulnerability is being utilized in ransomware campaigns, though the active exploitation status suggests sophisticated threat actors may be leveraging it for various malicious purposes.

CISA maintains the Known Exploited Vulnerabilities (KEV) catalog as the authoritative source for vulnerabilities exploited in the wild, helping organizations prioritize their vulnerability management efforts.

The agency emphasizes that organizations should integrate the KEV catalog into their vulnerability management prioritization frameworks to stay ahead of actively exploited threats.

As Microsoft develops official patches and mitigations, organizations must remain vigilant and apply security updates promptly according to both CISA and vendor guidance to protect against this critical vulnerability.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.