Critical Microsoft SharePoint Bug Lets Hackers Break Into 75 Servers — Including U.S. Agencies
Hackers are already actively misusing a dangerous new security flaw discovered in Microsoft SharePoint. This unpatched vulnerability, officially known as CVE-2025-53770, has led to a serious cyberattack affecting at least 75 servers, including systems belonging to large companies and even U.S. government bodies.
The vulnerability allows attackers to take full control of a SharePoint server without needing to log in. It takes advantage of the way SharePoint handles untrusted data and lets cybercriminals run harmful code remotely. This kind of remote code execution can allow hackers to steal sensitive information, upload malicious files, and maintain long-term access to an organization’s systems.
Microsoft Confirms the Threat
Microsoft has confirmed that the issue is real and ongoing. They are now working urgently to create a security update to fix the vulnerability. In a public statement, the company said:
“Our team is actively working to release a security update and will provide additional details as they are available.”
How Serious Is the Vulnerability?
Security experts rated this flaw 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), marking it as highly critical. According to cybersecurity researchers, attackers are already using this bug to steal encryption keys and install web shells—tools that give them full access to the affected servers.
Microsoft had already fixed an older bug called CVE-2025-49706 in its July 2025 security update, and interestingly, this new vulnerability is a variant of that bug.
However, hackers have found a new way to bypass the old patch and launch fresh attacks.
They are mainly using PowerShell scripts to upload malicious ASPX files that exploit a weakness in SharePoint’s MachineKey configuration.
Who Is Affected?
The issue does not impact cloud-based SharePoint Online (Microsoft 365) users. However, organizations using on-premises SharePoint Server 2016, 2019, or the Subscription Edition are at risk. With 75 servers already breached, experts are warning that the threat is widespread and ongoing.
What Has Microsoft Advised?
Until a proper patch is released, Microsoft has shared a few important safety tips for users managing SharePoint servers:
- Turn on Antimalware Scan Interface (AMSI) and make sure Microsoft Defender Antivirus is running on all SharePoint servers.
- If AMSI can’t be enabled, it’s best to disconnect the server from the internet temporarily.
- Use Microsoft Defender for Endpoint to detect any suspicious activities, such as unexpected ASPX files like spinstall0.aspx appearing on the server.
Final Words
This breach is another strong reminder that even trusted platforms like Microsoft SharePoint can have hidden weaknesses. IT teams running on-premises SharePoint servers should act immediately by applying Microsoft’s temporary defenses and watching for any unusual activity.
Microsoft has not yet released a fix, but they have confirmed it’s a top priority. Meanwhile, affected organizations are urged to remain alert, follow official guidelines, and prepare to patch their systems as soon as the update becomes available.
