Kritieke Zero-Day Kwetsbaarheid in SharePoint Server: Wat u moet weten

Critical Zero-Day Vulnerability in SharePoint Server: What you need to know

July 22, 2025

Microsoft recently warned about a serious zero-day vulnerability in SharePoint Server, registered as CVE-2025-53770. This vulnerability is currently being widely exploited and allows attackers to remotely execute malicious code on affected servers. It is important to emphasize that only on-premises SharePoint installations are vulnerable; SharePoint Online in Microsoft 365 is not susceptible to this attack.

What's going on?

Since July 18, Microsoft has been detecting active attacks that exploit this vulnerability. The attackers manage to bypass existing security measures introduced earlier in July. The method of attack is based on a previously discovered vulnerability that was demonstrated in May during the Pwn2Own event in Berlin. Researchers then showed that it is possible to gain full control of a server with just one request.

Available Emergency Patches

Microsoft has now released emergency patches for SharePoint Server 2019 and the Subscription Edition. For SharePoint Server 2016, an update is still in development but is expected soon. Customers using these versions are strongly advised to install the updates immediately. If this is not possible, Microsoft recommends temporarily disconnecting the affected servers from the Internet to prevent further damage.

Recommended Measures

To mitigate further attacks, Microsoft recommends the following:

Enable AMSI (Antimalware Scan Interface).: AMSI has been enabled by default since September 2023, but check that it is.
Install Defender Antivirus on all SharePoint servers.
Rotate ASP.NET machine keys after applying the updates or activating AMSI. This prevents previously stolen validation keys from being reused.

Detection and Response

The U.S. CISA has added this vulnerability to its catalog of known threats and requires government agencies to take action within 24 hours of the availability of a patch. Several security companies, including Dutch company Eye Security, are now reporting dozens of breaches at both commercial and public organizations worldwide.

Microsoft has published technical documentation with instructions for checking whether a SharePoint server has been compromised. In doing so, note the suspicious file spinstall0.aspx or suspicious HTTP requests in the IIS logs. If found, it is recommended that a forensic investigation be initiated immediately and the affected systems taken offline.

Need help?

Should you or your organization need assistance, we would love to hear from you. Our clients have now been verified.

Recent blogs

Blog

Apple 50 Years: 50 Years of Daring to Think Differently

This year, Apple celebrates its 50th anniversary. A milestone that cannot simply be overlooked. Because whether you are a fan or not: Apple has permanently changed the way we work, communicate, and create. At Analyst ICT, we are proud to be part of this ecosystem. As an Apple Technical Partner, we work daily with technology that is not only powerful but, above all, logical and pleasant to use. A different perspective on technology Apple has always distinguished itself by one simple conviction: technology should help people, not hinder them. No unnecessary complexity, but simplicity and ease of use. That aligns seamlessly...

Blog

Why saving passwords in your browser is not a good idea

The blog post below was created in response to a question during our engineering meeting. Every two weeks, we get together with all of our technical staff to discuss the latest developments in technology or with clients. Good client questions also arise during these meetings, such as this one. Time to do some research. Thank you, Wiebe! You've probably experienced this: you log in to a website, and your browser asks if it should remember your password. Convenient, fast, and you don't have to remember anything. However, there's a risk involved. In practice, we see that many security incidents start with something small. Like saving passwords…

Blog

Apple is taking a big step with Apple Business

Apple announced something special this week. Not a new device, but something that might be even more interesting for many organizations: Apple Business. A completely new platform with which Apple brings all its business services together in one environment. And frankly: this is a development that we at Analyst ICT are following with great interest. The problem: fragmented tools and unnecessary complexity Many organizations working with Apple will recognize the problem: Multiple portals (Apple Business Manager, Business Essentials, Connect) Different tools for management, branding, and support Additional costs for basic functionalities such as device management This leads to a lack of clarity and costs time. And…

Critical Zero-Day Vulnerability in SharePoint Server: What you need to know

What's going on?

Available Emergency Patches

Recommended Measures

Detection and Response

Need help?

Recent blogs

Apple 50 Years: 50 Years of Daring to Think Differently

Why saving passwords in your browser is not a good idea

Apple is taking a big step with Apple Business

A newsletter

Superlogic right?

Contact

Direct to

About us

What we do