Datawiza
Back to blog
July 20, 2025BlogTechnical

CVE-2025-53770: Protecting Your On-Premises SharePoint—What to Do Now (and How Datawiza Helps)

CVE-2025-53770: Protecting Your On-Premises SharePoint—What to Do Now (and How Datawiza Helps)

Update (5:50PM July 21, 2025, PDT):

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016 against CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately.

ProductSecurity Update link
Microsoft SharePoint Server Subscription EditionDownload Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center
Microsoft SharePoint Server 2019Download Security Update for Microsoft SharePoint 2019 (KB5002754) from Official Microsoft Download Center Security Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753)
Microsoft SharePoint Server 2016Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760) Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759)

For more details, visit Microsoft’s official update guidance.

What’s Happening? SharePoint Zero-Day (0-day) Alert

A newly discovered critical SharePoint vulnerability—CVE-2025-53770—is being actively exploited in the wild. This zero-day (0-day or 0day) flaw allows unauthenticated attackers to remotely execute code on unpatched on-premises SharePoint servers.

No official patch is available as of now (12:30AM July 20, 2025, PDT). Organizations with internet-facing SharePoint deployments are at highest risk.

Technical Insights: How CVE-2025-53770 Works

CVE-2025-53770 is a pre-authentication remote code execution (RCE) vulnerability in on-premises SharePoint, caused by deserialization of untrusted data.

Here’s what that means for your environment:

  • No authentication required: Attackers don’t need valid credentials—they can exploit vulnerable servers simply by sending malicious data over the network.
  • Attack vector: Based on Microsoft’s official detection guidance and analysis of how similar vulnerabilities have been exploited in the past, the likely attack path involves unauthenticated POST requests to core SharePoint endpoints, especially under the path /_layouts/15/ ,which hosts many key application pages.
  • Real-world impact: Successful attacks often result in the creation of web shells (such as spinstall0.aspx ) in the SharePoint LAYOUTS directory, giving attackers persistent remote access and the ability to move laterally.

Example vulnerable URL:

https://<your-sharepoint-server>/_layouts/15/<page>.aspx

Detection: What Should Security Teams Watch For?

Microsoft recommends searching for the creation of suspicious files in the SharePoint LAYOUTS directory as a sign of successful exploitation.

For example, you can use this Defender Advanced Hunting Query (published by Microsoft) to look for signs of compromise:

DeviceFileEvents | where FolderPath has “MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS” | where FileName =~ “spinstall0.aspx” or FileName has “spinstall0” | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc

Run this in Microsoft 365 Defender to scan up to 30 days of events for potential exploitation.

What to Do Now: SharePoint Zero-Day Mitigation

As IT and security teams await an official fix, here are two proven strategies to reduce your risk from SharePoint remote code execution attacks:

Option 1: Take SharePoint Offline from the Internet

  • How it helps: Removes public exposure and immediately blocks external attackers.
  • Drawback: May disrupt legitimate remote workflows or business partner access.

Option 2: Enforce Pre-Authentication with an Authentication Proxy

  • How it helps: Deploying an authentication proxy—such as Datawiza Access Proxy—in front of SharePoint requires strong authentication, like single sign on (SSO) and multi-factor authentication (MFA), before any request can reach your SharePoint server.
  • Why it’s effective: Blocks all unauthenticated exploit attempts, even when SharePoint itself remains unpatched.
  • Datawiza clients are protected: Datawiza Access Proxy is already deployed by many organizations to protect their on-premises SharePoint. By enforcing strong authentication for every request, Datawiza customers are shielded from CVE-2025-53770 and similar attacks.
  • Future-proof SharePoint security: Datawiza doesn’t just help with today’s CVE. By requiring authentication for all access, Datawiza Access Proxy helps prevent exploitation of similar “pre-auth” vulnerabilities in SharePoint or other legacy web applications in the future.
Learn how Datawiza provides secure SSO and MFA for SharePoint: Datawiza SharePoint SSO & MFA Solution

Stay Informed with Official SharePoint Security Guidance

We recommend all organizations follow Microsoft’s official CVE-2025-53770 guidance for the latest information, monitoring steps, and recommendations.

Summary: Preventing SharePoint Zero-Day Attacks

CVE-2025-53770 is a serious threat, but actionable steps—such as removing internet exposure or enforcing authentication with a SharePoint proxy—can dramatically reduce risk. If you’re a Datawiza customer, your SharePoint environment is already protected against both this CVE and similar future zero-days.

Want to learn more? Visit our SharePoint SSO & MFA solution page. Stay safe, stay vigilant, and reach out if you have questions or need help evaluating SharePoint security options.

Frequently Asked Questions (FAQ)

Q1: What is SharePoint CVE-2025-53770? A: It’s a critical zero-day (0day or 0-day) vulnerability in on-premises SharePoint that allows unauthenticated attackers to remotely execute code. No official patch is available as of July 20, 2025.

Q2: How can I protect my SharePoint from CVE-2025-53770? A: Reduce risk by taking SharePoint offline from the internet or by using an authentication proxy (such as Datawiza) to enforce SSO/MFA before any requests reach your SharePoint server.

Q3: What is an authentication proxy for Sharepoint? A: It’s a security solution that sits in front of your SharePoint server to require strong authentication—like SSO and MFA—before users or traffic can access the application.

Q4: Are Datawiza customers protected from SharePoint zero-days? A: Yes. Datawiza Access Proxy enforces authentication for every request, blocking unauthenticated exploits like CVE-2025-53770 and helping prevent similar vulnerabilities in the future.

Q5: Where can I learn more about securing SharePoint with Datawiza? A: Visit our solution page: Datawiza SharePoint SSO & MFA Solution

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza