Kritieke Zero-Day Kwetsbaarheid in SharePoint Server: Wat u moet weten

Critical Zero-Day Vulnerability in SharePoint Server: What you need to know

July 22, 2025

Microsoft recently warned about a serious zero-day vulnerability in SharePoint Server, registered as CVE-2025-53770. This vulnerability is currently being widely exploited and allows attackers to remotely execute malicious code on affected servers. It is important to emphasize that only on-premises SharePoint installations are vulnerable; SharePoint Online in Microsoft 365 is not susceptible to this attack.

What's going on?

Since July 18, Microsoft has been detecting active attacks that exploit this vulnerability. The attackers manage to bypass existing security measures introduced earlier in July. The method of attack is based on a previously discovered vulnerability that was demonstrated in May during the Pwn2Own event in Berlin. Researchers then showed that it is possible to gain full control of a server with just one request.

Available Emergency Patches

Microsoft has now released emergency patches for SharePoint Server 2019 and the Subscription Edition. For SharePoint Server 2016, an update is still in development but is expected soon. Customers using these versions are strongly advised to install the updates immediately. If this is not possible, Microsoft recommends temporarily disconnecting the affected servers from the Internet to prevent further damage.

Recommended Measures

To mitigate further attacks, Microsoft recommends the following:

Enable AMSI (Antimalware Scan Interface).: AMSI has been enabled by default since September 2023, but check that it is.
Install Defender Antivirus on all SharePoint servers.
Rotate ASP.NET machine keys after applying the updates or activating AMSI. This prevents previously stolen validation keys from being reused.

Detection and Response

The U.S. CISA has added this vulnerability to its catalog of known threats and requires government agencies to take action within 24 hours of the availability of a patch. Several security companies, including Dutch company Eye Security, are now reporting dozens of breaches at both commercial and public organizations worldwide.

Microsoft has published technical documentation with instructions for checking whether a SharePoint server has been compromised. In doing so, note the suspicious file spinstall0.aspx or suspicious HTTP requests in the IIS logs. If found, it is recommended that a forensic investigation be initiated immediately and the affected systems taken offline.

Need help?

Should you or your organization need assistance, we would love to hear from you. Our clients have now been verified.

Recent blogs

Blog

What are quantum computers? And why is everyone suddenly talking about them?

Chances are you've been hearing more and more about quantum computers in recent months. In the news, on LinkedIn, or perhaps even during conversations about AI and cybersecurity. Especially now that a Dutch chip developer is gaining global attention with a new generation of quantum chips, the technology suddenly seems closer than ever. But what exactly is a quantum computer? And why is so much expected of it? From Ordinary Computer to Quantum Computer To understand quantum computers, it's helpful to first look at how a normal computer works. A traditional computer — like your laptop or server — works with bits. A…

Blog

With our feet in the mud

Here we are. Not quite recognizable anymore, thanks to AI trying to protect children. Understandable, of course. But believe us: these really are Berry and Frank. More than ten years apart, but in reality, we've always been brothers from another mother. And what do we have in common? A lot... and at the same time, almost nothing. Berry is often the good cop. Calm, down-to-earth, and always working to get things done. I'm usually the bad cop. Direct, critical, and always looking for ways to improve. But that combination is precisely what works. What completely unites us, though, is our love for...

Blog

MacAdmins Meeting: What's relevant for your organization?

Last week, we attended the MacAdmins Meeting in Leiden. It's a gathering focused on Apple administration, security, and innovation. What stood out? Developments are moving fast. But more importantly: they are becoming increasingly relevant for SMEs. We'd like to share the key insights with you. What's happening? And what does that mean for your organization? Running AI Locally: Control Over Data and Costs AI is now everywhere. But one question remains central: where does your data reside? A significant topic during the meeting was running AI models (LLMs) locally. Instead of relying on external cloud platforms, more and more...

Critical Zero-Day Vulnerability in SharePoint Server: What you need to know

What's going on?

Available Emergency Patches

Recommended Measures

Detection and Response

Need help?

Recent blogs

What are quantum computers? And why is everyone suddenly talking about them?

With our feet in the mud

MacAdmins Meeting: What's relevant for your organization?

A newsletter

Superlogic right?

Contact

Direct to

About us

What we do