Critical security vulnerability in Microsoft SharePoint on prem (CVE-2025-53770 score of 9.8/10)
A critical security vulnerability CVE-2025-53770 (score of 9.8) has been discovered in Microsoft SharePoint on prem.
A massive exploitation of the vulnerability is underway.
This RCE (Remote Code Execution) type vulnerability presents the risk that a malicious actor could execute arbitrary code remotely on a machine, without requiring any authentication. In other words, the attack can be successful even if you use a very complex password with MFA to access the server with the RCE vulnerability.
Vulnerable SharePoint versions
- All SharePoint on Prem versions seem to be affected.
- SharePoint in the cloud is not affected.
Considerations on vulnerabilities with a score of 9.8
The vulnerability score is very high (9.8 on a scale of 10), which means that:
- The vulnerability can be easily exploited remotely.
- No authentication is required to exploit the vulnerability.
- The attacker does not need to know the password of the attacked server
- The vulnerability can be exploited easily.
- The impacts can be major on the target attacked
Indicators of compromise (IOC)
- For now, the sources involved in the attack (network IOC) are as follows:
101[.]99[.]91[.]107 | 104[.]234[.] 140[.]138 | 38[.]180[.]148[.]215 |
102[.]129[.]235[.]108 | 104[.]234[.] 140[.]139 | 38[.]244[.] 138[.]83 |
103[.]172[.]41[.]210 | 104[.]234[.] 140[.]141 | 38[.]54[.] 126[.]186 |
104[.]234[.] 140[.]116 | 104[.]234[.] 140[.]142 | 38[.]54[.]13[.]208 |
104[.]234[.] 140[.]117 | 104[.]234[.] 140[.]143 | 38[.]54[.]59[.]96 |
104[.]234[.] 140[.]118 | 104[.]234[.]140[.]121 | 38[.]54[.]97[.]158 |
104[.]234[.] 140[.]119 | 104[.]234[.]140[.]136 | 38[.]60[.]245[.]99 |
104[.]234[.] 140[.]120 | 104[.]234[.]140[.]137 | 43[.]228[.]217[.]26 |
104[.]234[.] 140[.]122 | 104[.]234[.]140[.]140 | 45[.]127[.]34[.]106 |
104[.]234[.] 140[.]123 | 121[.]237[.]80[.]241 | 45[.]135[.]232[.]2 |
104[.]234[.] 140[.]124 | 121[.]237[.]80[.]248 | 45[.]135[.]232[.]2 |
104[.]234[.] 140[.]125 | 123[.]253[.]32[.]172 | 45[.]77[.] 162[.]224 |
104[.]234[.] 140[.]126 | 139[.]162[.]47[.]194 | 62[.]192[.]175[.]142 |
104[.]234[.] 140[.]127 | 149[.]88[.]86[.]125 | 64[.]176[.]50[.]109 |
104[.]234[.] 140[.]128 | 154[.]90[.]62[.]202 | 78[.]128[.]113[.]30 |
104[.]234[.] 140[.]129 | 158[.]247[.]226[.]88 | 80[.]209[.]243[.]221 |
104[.]234[.] 140[.]130 | 181[.]16[.]40[.] 119 | 89[.]31[.]121[.]101 |
104[.]234[.] 140[.]131 | 185[.]217[.]69[.]124 | 91[.]219[.]238[.]78 |
104[.]234[.] 140[.]132 | 210[.]184[.]128[.]216 | 92[.]38[.]162[.]11 |
104[.]234[.] 140[.]133 | 223[.]104[.]125[.]59 | 94[.]158[.]247[.]12 |
104[.]234[.] 140[.]134 | 31[.]171[.]130[.]5 |
|
104[.]234[.] 140[.]135 | 38[.]154[.]237[.]100 |
|
Recommended measures
- July 19, 2025: Until a patch is available, Microsoft recommends the following: Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center
- July 21, 2025: Microsoft patches are available. Here is the link to download them.
Additional recommendations from Streamscan
- Block the following network IOCs.
- Apply Microsoft patches
- Ensure that EDR is installed on your internal SharePoint server
- Set up geolocation to limit external connection attempts to your network.
- Ensure that your network security is actively monitored
What is Streamscan doing to protect you?
If you are a Streamscan partner and use our technologies or MDR monitoring service, please note that:
- We have set up a crisis unit to monitor developments related to this critical vulnerability. We will implement the appropriate response measures.
- The network IOCs involved in the attack are being monitored by our security tools: Streamscan XDR, Streamscan EDR, Streamscan IDS/IPS/NDR, etc.
- Our MDR security monitoring team remains vigilant while monitoring your network.
Need help? Talk to one of our experts or call us at +1 877 208-9040.