Microsoft Confirms Hackers Exploiting SharePoint Flaws, Patch Now

Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers are already exploiting them in active campaigns.

The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are not present in SharePoint Online, but on-premises environments using SharePoint 2019 and the SharePoint Subscription Edition are directly at risk.

According to Microsoft’s updated guidance, fixes for SharePoint 2019 and Subscription Edition are now available and fully address both vulnerabilities. However, SharePoint 2016 customers are still waiting, as Microsoft says updates for that version are still in development. In the meantime, the company recommends that affected users apply existing patches, enable key protections, and prepare for additional updates.

The two vulnerabilities are dangerous because they allow attackers to execute code and plant web shells on vulnerable servers. Microsoft says these attacks have already been seen in the wild, and one clear sign of compromise is the presence of a suspicious file called spinstall0.aspx. Security analysts recommend checking SharePoint server directories for this file, as it often signals post-exploitation activity.

While fixes are available for some versions, Microsoft emphasises that patching alone is not enough. Customers should also rotate machine keys and restart IIS to fully fix the issue. These steps are particularly important for those running SharePoint Server 2019 and Subscription Edition, where patches are available today.

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should apply…

— Security Response (@msftsecresponse) July 21, 2025

To protect your system from exploitation, Microsoft is urging organisations to take a layered approach: update immediately, enable the Antimalware Scan Interface (AMSI), rotate machine keys, and deploy endpoint protection.

Microsoft Defender Antivirus and Defender for Endpoint are equipped to detect known behaviour tied to this threat, including specific malware signatures like HijackSharePointServer.A and SuspSignoutReq.A.

The company also recommends deploying Microsoft Defender for Endpoint or a similar threat detection tool, as it provides alerts that could flag exploitation attempts. These might show up in logs as unusual activity in w3wp.exe processes or encoded PowerShell commands tied to web shell deployment.

While Microsoft continues to support 2016 and 2019, older editions like SharePoint 2010 and 2013 are no longer eligible for security updates, exposing your system to further attacks. Therefore, if you’re still using older or unsupported versions of SharePoint, upgrade them to the latest.