A critical zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) is actively exploited worldwide without a patch, compromising at least 85 servers. Microsoft recommends enabling AMSI and deploying Defender AV to mitigate the risk until a security update is available. #CVE202553770 #SharePointExploit
Keypoints
- A zero-day vulnerability in SharePoint is being exploited since July 18th, affecting at least 85 servers globally.
- Threat actors use malicious βspinstall0.aspxβ files to steal cryptographic keys and enable remote code execution.
- Microsoft has patched related flaws but warns that a variant of CVE-2025-49706 (CVE-2025-53770) is actively exploited.
- Mitigation includes enabling AMSI in SharePoint and disconnecting servers from the internet if patching isnβt possible.
- Indicators of compromise include specific IIS log entries and the presence of the spinstall0.aspx file.