{"id":519025,"date":"2025-07-22T11:10:39","date_gmt":"2025-07-22T18:10:39","guid":{"rendered":"https:\/\/jorgep.com\/blog\/?p=519025"},"modified":"2026-02-18T13:02:12","modified_gmt":"2026-02-18T20:02:12","slug":"july-2025-sharepoint-onprem-vulnerabilities-exec-summary","status":"publish","type":"post","link":"https:\/\/jorgep.com\/blog\/july-2025-sharepoint-onprem-vulnerabilities-exec-summary\/","title":{"rendered":"July 2025 SharePoint (onPrem) Vulnerabilities &#8211; Exec Summary"},"content":{"rendered":"\n<p>This is getting a lot of attention in the news cycle and it seems to be pretty significant for some customers. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"summary\">Summary<\/h2>\n\n\n\n<p>Microsoft has disclosed several critical vulnerabilities affecting <strong>on-premises SharePoint Server<\/strong> environments. These flaws are being actively exploited by advanced threat actors to gain unauthorized access, execute remote code, and bypass security controls.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"affectedversions\">Affected Versions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SharePoint Server 2016<\/li>\n\n\n\n<li>SharePoint Server 2019<\/li>\n\n\n\n<li>SharePoint Server Subscription Edition<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote has-large-font-size is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Note:<\/strong> SharePoint Online (Microsoft 365) is not impacted.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"vulnerabilityoverview\">Vulnerability Overview<\/h2>\n\n\n\n<p>The most critical issue, <strong>CVE-2025-53770<\/strong>, allows attackers to exploit ASP.NET machine key configurations to impersonate users and execute arbitrary code. Additional vulnerabilities include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE-2025-53771<\/strong> \u2013 Security bypass<\/li>\n\n\n\n<li><strong>CVE-2025-49706<\/strong> \u2013 Spoofing<\/li>\n\n\n\n<li><strong>CVE-2025-49704<\/strong> \u2013 Remote code execution<\/li>\n<\/ul>\n\n\n\n<p>These vulnerabilities are being used in multi-stage attacks that begin with SharePoint exploitation and escalate to broader network compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"whatisazte\">What Is a ZTE?<\/h2>\n\n\n\n<p><strong>Zero Trust Exploits (ZTEs)<\/strong> refer to vulnerabilities or attack techniques that undermine the principles of a <strong>Zero Trust Architecture<\/strong>\u2014a security model that assumes no implicit trust, even within the network perimeter. In this case, attackers are exploiting SharePoint to gain initial access and then move laterally, bypassing identity and access controls that Zero Trust is designed to enforce.<\/p>\n\n\n\n<p>While the vulnerabilities themselves are not exclusive to Zero Trust environments, their exploitation highlights gaps in enforcement and monitoring that Zero Trust strategies aim to mitigate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"recommendedactions\">Recommended Actions<\/h2>\n\n\n\n<p>To protect your environment, Microsoft recommends the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Apply July 2025 security updates<\/strong> for all affected SharePoint versions.<\/li>\n\n\n\n<li><strong>Rotate ASP.NET machine keys<\/strong> to invalidate attacker persistence.<\/li>\n\n\n\n<li><strong>Enable AMSI (Antimalware Scan Interface)<\/strong> in Full Mode.<\/li>\n\n\n\n<li><strong>Deploy endpoint protection<\/strong>, such as Microsoft Defender for Endpoint.<\/li>\n\n\n\n<li><strong>Restart IIS<\/strong> after applying updates and configuration changes.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"microsoftreferences\">Microsoft References<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\">Customer Guidance for CVE-2025-53770<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\">Microsoft Security Blog \u2013 Active Exploitation<\/a><\/li>\n\n\n\n<li>Security Update KB5002768 \u2013 SharePoint Subscription Edition<\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=104002\" target=\"_blank\" rel=\"noreferrer noopener\">Security Update KB5002754 \u2013 SharePoint Server 2019<\/a><\/li>\n\n\n\n<li>Security Update KB5002760 \u2013 SharePoint Server 2016<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is getting a lot of attention in the news cycle and it seems to be pretty significant for some customers. Summary Microsoft has disclosed several critical vulnerabilities affecting on-premises SharePoint Server environments. These flaws are being actively exploited by advanced threat actors to gain unauthorized access, execute remote code, and bypass security controls. Affected&#8230;<\/p>\n","protected":false},"author":2,"featured_media":368574,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","episode_type":"","audio_file":"","podmotor_file_id":"","podmotor_episode_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","itunes_episode_number":"","itunes_title":"","itunes_season_number":"","itunes_episode_type":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[681,441],"tags":[836,742,920,764],"class_list":["post-519025","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-moderneuc2","category-tech-talk","tag-cyberattacks","tag-moderneuc1","tag-security-breaches","tag-sharepoint"],"taxonomy_info":{"category":[{"value":681,"label":"ModernEUC"},{"value":441,"label":"Tech Talk"}],"post_tag":[{"value":836,"label":"cyberattacks"},{"value":742,"label":"ModernEUC"},{"value":920,"label":"Security Breaches"},{"value":764,"label":"Sharepoint"}]},"featured_image_src_large":["https:\/\/jorgep.com\/blog\/wp-content\/uploads\/CyberSecurity-FeaturedImage2-730x430-1.jpg",730,430,false],"author_info":{"display_name":"Jorge Pereira","author_link":"https:\/\/jorgep.com\/blog\/author\/jorge\/"},"comment_info":0,"category_info":[{"term_id":681,"name":"ModernEUC","slug":"moderneuc2","term_group":0,"term_taxonomy_id":691,"taxonomy":"category","description":"","parent":0,"count":261,"filter":"raw","cat_ID":681,"category_count":261,"category_description":"","cat_name":"ModernEUC","category_nicename":"moderneuc2","category_parent":0},{"term_id":441,"name":"Tech Talk","slug":"tech-talk","term_group":0,"term_taxonomy_id":451,"taxonomy":"category","description":"","parent":0,"count":670,"filter":"raw","cat_ID":441,"category_count":670,"category_description":"","cat_name":"Tech Talk","category_nicename":"tech-talk","category_parent":0}],"tag_info":[{"term_id":836,"name":"cyberattacks","slug":"cyberattacks","term_group":0,"term_taxonomy_id":846,"taxonomy":"post_tag","description":"","parent":0,"count":4,"filter":"raw"},{"term_id":742,"name":"ModernEUC","slug":"moderneuc1","term_group":0,"term_taxonomy_id":752,"taxonomy":"post_tag","description":"","parent":0,"count":284,"filter":"raw"},{"term_id":920,"name":"Security Breaches","slug":"security-breaches","term_group":0,"term_taxonomy_id":930,"taxonomy":"post_tag","description":"","parent":0,"count":4,"filter":"raw"},{"term_id":764,"name":"Sharepoint","slug":"sharepoint","term_group":0,"term_taxonomy_id":774,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/519025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/comments?post=519025"}],"version-history":[{"count":1,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/519025\/revisions"}],"predecessor-version":[{"id":519026,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/519025\/revisions\/519026"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media\/368574"}],"wp:attachment":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media?parent=519025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/categories?post=519025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/tags?post=519025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}