Troubleshoot Az Module within Logic App Standard
July 21, 2025Customising Node-Level Configuration in AKS
July 21, 2025
Overview
MDVM is aware of active attacks targeting on-premises SharePoint Server customers:
|
CVE |
Type |
CVSS v3.1 |
Patch status |
|
CVE‑2025‑49704 |
Improper control of code‑generation → authenticated RCE |
8.8 (High) |
Fixed in the 8 July 2025 security updates — Subscription Edition KB 5002768, SharePoint Server 2019 KB 5002741, SharePoint Server 2016 KB 5002744. Microsoft Support |
|
CVE‑2025‑49706 |
Improper authentication / spoofing |
6.3 (Medium) |
Fixed in the same 8 July 2025 updates (KB 5002768 / 5002741 / 5002744). Microsoft Support |
|
CVE‑2025‑53770 |
Deserialization of untrusted data → unauthenticated RCE |
9.8 (Critical) |
Emergency patch released for Subscription Edition KB 5002768 and SharePoint 2019 KB 5002754; patch for SharePoint 2016 is still pending. Microsoft Security Response Center |
|
CVE‑2025‑53771 |
Path‑traversal / spoofing |
6.3 (Medium) |
Addressed by the same emergency updates as CVE‑2025‑53770 (SE KB 5002768, 2019 KB 5002754); SharePoint 2016 fix forthcoming. Microsoft Security Response Center |
In this blog post, we will show you how to effectively manage these CVEs if your organization is affected by it.
Impact
- Immediate threat to SharePoint infrastructure, especially for externally exposed instances.
- Unauthenticated attackers can exploit CVE-53770 to take over servers without credentials.
- Older versions (2013/2010) remain vulnerable with no patch expected—must be isolated or decommissioned.
Affected Products & Versions
|
Product |
CVE‑2025‑49704 |
CVE‑2025‑49706 |
CVE‑2025‑53770 |
CVE‑2025‑53771 |
|
SharePoint Server Subscription Edition |
✅ Affected |
✅ Affected |
✅ Affected |
✅ Affected |
|
SharePoint Server 2019 |
✅ Affected |
✅ Affected |
✅ Affected |
✅ Affected |
|
SharePoint Server 2016 |
✅ Affected |
✅ Affected |
✅ Affected |
✅ Affected |
|
SharePoint Online |
❌ Not affected |
❌ Not affected |
❌ Not affected |
❌ Not affected |
Mapping Exposure in MDVM
The first step in managing an incident is to map affected software within your organization’s assets.
Vulnerability pages
Browse to Vulnerability management ▸ Weaknesses and filter by the three CVEs to view exposed devices, remediation status, and Evidence of Exploitation tags.
Unified Advanced Hunting query
DeviceTvmSoftwareVulnerabilities
| where CveId in (“CVE-2025-49706″,”CVE-2025-49704″,”CVE-2025-53770″,”CVE-2025-53771”)
| summarize by DeviceName, CveId
Inventory query (fallback)
DeviceTvmSoftwareInventory
| where SoftwareVendor == “microsoft” and SoftwareName has “sharepoint”
| project DeviceName, SoftwareName, SoftwareVersion
Detection & Coverage (MDE)
Currently, MDVM supports the coverage of all four CVEs on devices that are onboarded to MDE (in both MDE and MDC subscriptions).
We strongly advise you to follow up to date details at MSRC blog: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
Mitigation & Best Practices
- Patch ASAP where updates exist. Monitor MSRC for SPSE & 0‑day fixes.
- Enable AMSI scanning
- Make sure you have an antivirus or endpoint security product installed and actively running on every host that can block threats detected by AMSI.
- Enable AMSI scanning (Central Admin ▸ Security ▸ AMSi Settings ▸ Enable) on every supported host via Central Admin ▸ Security ▸ AMSI Settings ▸ Enable) on every supported host (SharePoint 2016 running on Windows Server 2012 R2 cannot enable AMSI).
- Configure AMSI integration with SharePoint Server – https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration
- Rotate the MachineKey twice (before triage and after patching) to invalidate stolen keys that can be used to sign ViewState payloads for subsequent remote code execution attacks.
- Temporarily remove public exposure by tunnelling Web Front Ends behind VPN/ZTNA or blocking TCP 80/443 externally.
- Hunt for indicators – search IIS logs for /_layouts/15/toolpane.aspx requests missing X‑RequestDigest, unexpected .aspx uploads, and outbound network beacons from w3wp.exe.
- Isolate suspected hosts via MDE ▸ Isolate device and collect memory plus SharePoint ULS logs.
Coverage & Roadmap
- MDVM vulnerability records now include CVSS scores and zero days flags for all three CVEs.
- Microsoft is fast‑tracking cumulative patches for CVE‑2025‑53770—ETA updates will appear in MSRC.
Conclusion
By combining rapid patching, AMSI enforcement, double MachineKey rotation, and MDVM’s exposure insights, defenders can drastically reduce the blast radius of these SharePoint attacks. Keep monitoring MSRC advisories as the situation evolves.