Microsoft patches critical SharePoint 2016 zero-days amid active exploits – Source: go.theregister.com

Microsoft has good news for administrators running SharePoint Server 2016. The cloud and software megacorp has published updates to close a gaping hole in the document management service.

What’s particularly concerning is that the vulnerability allows hackers to impersonate users or services even after the SharePoint server is patched. Attackers maintain access even after organizations think they’re secure

The patch was issued on July 21 and follows updates already available for SharePoint Server 2019 and SharePoint Server Subscription Edition. However, while it should address two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which allowed miscreants to access servers connected to the internet, it is possible that attackers may have already accessed data or systems.

The alarm was raised last week regarding the vulnerabilities after attackers found ways to bypass Microsoft’s patches for other flaws in the July Patch Tuesday updates for the servers.

In its customer guidance for the issue, Microsoft said it was “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

According to reports, tens of thousands of servers, including those of US federal and state agencies, were at risk. The problem only affected on-premises SharePoint servers – Microsoft 365 was unaffected – and it took Redmond a few days to rush out an emergency patch, first for SharePoint Server 2019 and SharePoint Server Subscription Edition, and now for SharePoint Server 2016.

Until the patches were made available, administrators had limited options. Microsoft Defender for Endpoint could be used to detect and block post-exploit activity, and the Antimalware Scan Interface (AMSI) could have Full Mode enabled to prevent unauthenticated attackers from exploiting the vulnerability.

Alternatively, it was a case of disconnecting the servers from the internet until a patch turned up.

• Another massive security snafu hits Microsoft, but don’t expect it to stick
• Microsoft patches under-attack SharePoint 2019 and SE
• Microsoft patches failed to fix on-prem SharePoint, which is now under zero-day attack
• Microsoft 365 brings the shutters down on legacy protocols

Since the zero-day vulnerability was already being exploited, the wait for a fix was no doubt agonizing for administrators, especially for organizations running SharePoint Server 2016, which took an extra day to be updated. SharePoint Server 2016 is currently in Extended Support, due to end on July 14, 2026.

Chief technology officer at NordVPN, Marijus Briedis, commented: “The SharePoint vulnerability is exactly what happens when organizations treat security updates as optional. We’re looking at unauthenticated access to systems with full access to SharePoint content, enabling attackers to execute code over the network, a complete compromise.”

Briedis added: “When your employer, bank, or healthcare provider gets hit through SharePoint, the consumer pays the price. SharePoint servers often connect to other Microsoft services such as Outlook and Teams, meaning such a breach can quickly lead to data theft and password harvesting. Emails, financial records, medical data are interconnected, and once attackers are inside, they’re harvesting everything.”

“Researchers said the hack likely reached thousands of organizations globally, and that’s just what we know so far. What’s particularly concerning is that the vulnerability allows hackers to impersonate users or services even after the SharePoint server is patched. Attackers maintain access even after organizations think they’re secure.”

“Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attack applies to on-premises SharePoint servers, meaning organizations running their infrastructure are sitting ducks until they patch and completely rebuild their security posture,” said Briedis.

Microsoft has also provided guidance on how to spot successful exploitation, as did Eye Security, which first reported the zero-day vulnerability, prompting concern among SharePoint administrators over the weekend while Microsoft worked to address the issue.

Now that their servers are patched, administrators must deal with the possible consequences of a malicious intrusion. Microsoft recommends rotating the ASP.NET machine keys and restarting Internet Information Services (IIS) on all SharePoint servers.

Criminals who gained access to servers while the vulnerability was unpatched could have stolen keys to regain access, even after the patch was applied. ®