There is a new critical (9.8 severity) zero-day Remote Code Execution vulnerability impacting all supported versions of SharePoint Server (possibly unsupported versions too). This does not impact SharePoint Online. Please note: this is actively being exploited now, "and spreading rapidly". Microsoft have released patches, but it's important to note that there are other steps required beyond applying the patch, as the ASP.NET machine keys may have already been compromised and they need to be rolled over. There are also recommended steps regarding enabling the Anti-Malware Scan Interface (AMSI) integration, which was enabled by default in a September 2023 security update and the 23H2 feature update (but which may not have been applied in every environment). If that update has not been applied, it's important to understand that this is one of the more complex SharePoint Server patching processes, rather than a Windows security update.
Background:
Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security
SharePoint 0-day uncovered (CVE-2025-53770)
Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center
CVE-2025-53770 - Security Update Guide - Microsoft - Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2025-53771 - Security Update Guide - Microsoft - Microsoft SharePoint Server Spoofing Vulnerability
