On July 17, 2025, Microsoft announced two critical SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771). This document provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.

Description

SharePoint Server is a platform that enables organizations to create websites, manage documents, and facilitate team collaboration. These vulnerabilities affect SharePoint Server versions and work together to allow authenticated attackers to execute arbitrary code on vulnerable systems.

CVE-2025-53770 is a critical remote code execution vulnerability caused by unsafe deserialization of untrusted data.
CVE-2025-53771 is a spoofing vulnerability that allows attackers to bypass authentication through header manipulation.

Given SharePoint's extensive deployment across enterprise environments for document management, collaboration, and business processes, these vulnerabilities could have significant implications for organizations that rely on on-premises SharePoint infrastructure.

Severity and Impact

CVE-2025-53770 has been assigned a 'Critical' severity rating with a CVSS score of 9.8, while CVE-2025-53771 has a CVSS score of 6.3. These vulnerabilities can be chained together to create a attack scenario affecting common SharePoint Server configurations and enabling unauthenticated remote exploitation allowing attackers to:

Complete system compromise through remote code execution
Unauthorized access to sensitive documents and data stored in SharePoint
Lateral movement within the network using compromised SharePoint servers
Disruption of business-critical collaboration services
Theft of SharePoint machine keys for persistent access

It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.

Step 1: Determine if you are at risk.

If you or a third party are running SharePoint Server on-premises (2016, 2019, Subscription Edition), the system is vulnerable to both CVE-2025-53770 and CVE-2025-53771.
SharePoint Online (cloud-hosted) environments are managed by Microsoft and have already been patched.
To assess whether your Third Parties are vulnerable, customers can access the SharePoint Security Questionnaire in the Whistic platform under our Questionnaire Standards Library by clicking here.
Review your SharePoint Server inventory to identify all on-premises installations and their current patch levels.

Step 2: Immediately patch systems that have been impacted.

Ensure your IT security team is aware of both vulnerabilities and the available security updates released July 21, 2025.
Prioritize patching of SharePoint Server installations immediately.
Apply Microsoft's security updates for both CVE-2025-53770 and CVE-2025-53771 following your organization's change management procedures.

Step 3: Implement additional protective measures.

Consider temporarily restricting access to SharePoint Server systems until patches can be applied.
Monitor SharePoint Server logs for suspicious authentication attempts or unusual activity
Consider network segmentation to isolate SharePoint Server systems from critical infrastructure.
Update incident response procedures to include SharePoint-specific indicators of compromise.

Does this affect Whistic?

Whistic does not deploy on-premises SharePoint Server installations that would be affected by this vulnerability.

We maintain a structured approach to vulnerability identification and remediation using automated security scanning technologies throughout our development lifecycle and in our production environments. Our security team continuously monitors for emerging threats and ensures our infrastructure remains protected against known vulnerabilities.

Additional Resources

For questions about third-party risk management related to these vulnerabilities, contact your Whistic customer success team or visit our platform to access relevant security questionnaires.