Critical security vulnerability in Microsoft SharePoint on prem (CVE-2025-53770 score of 9.8/10)

A critical security vulnerability CVE-2025-53770 (score of 9.8) has been discovered in Microsoft SharePoint on prem.

A massive exploitation of the vulnerability is underway.

This RCE (Remote Code Execution) type vulnerability presents the risk that a malicious actor could execute arbitrary code remotely on a machine, without requiring any authentication. In other words, the attack can be successful even if you use a very complex password with MFA to access the server with the RCE vulnerability.

Vulnerable SharePoint versions

• All SharePoint on Prem versions seem to be affected.
• SharePoint in the cloud is not affected.

Considerations on vulnerabilities with a score of 9.8

The vulnerability score is very high (9.8 on a scale of 10), which means that:

• The vulnerability can be easily exploited remotely.
• No authentication is required to exploit the vulnerability.
• The attacker does not need to know the password of the attacked server
• The vulnerability can be exploited easily.
• The impacts can be major on the target attacked

Indicators of compromise (IOC)

• For now, the sources involved in the attack (network IOC) are as follows: 

101[.]99[.]91[.]107

104[.]234[.] 140[.]138

38[.]180[.]148[.]215

102[.]129[.]235[.]108

104[.]234[.] 140[.]139

38[.]244[.] 138[.]83

103[.]172[.]41[.]210

104[.]234[.] 140[.]141

38[.]54[.] 126[.]186

104[.]234[.] 140[.]116

104[.]234[.] 140[.]142

38[.]54[.]13[.]208

104[.]234[.] 140[.]117

104[.]234[.] 140[.]143

38[.]54[.]59[.]96

104[.]234[.] 140[.]118

104[.]234[.]140[.]121

38[.]54[.]97[.]158

104[.]234[.] 140[.]119

104[.]234[.]140[.]136

38[.]60[.]245[.]99

104[.]234[.] 140[.]120

104[.]234[.]140[.]137

43[.]228[.]217[.]26

104[.]234[.] 140[.]122

104[.]234[.]140[.]140

45[.]127[.]34[.]106

104[.]234[.] 140[.]123

121[.]237[.]80[.]241

45[.]135[.]232[.]2

104[.]234[.] 140[.]124

121[.]237[.]80[.]248

45[.]135[.]232[.]2

104[.]234[.] 140[.]125

123[.]253[.]32[.]172

45[.]77[.] 162[.]224

104[.]234[.] 140[.]126

139[.]162[.]47[.]194

62[.]192[.]175[.]142

104[.]234[.] 140[.]127

149[.]88[.]86[.]125

64[.]176[.]50[.]109

104[.]234[.] 140[.]128

154[.]90[.]62[.]202

78[.]128[.]113[.]30

104[.]234[.] 140[.]129

158[.]247[.]226[.]88

80[.]209[.]243[.]221

104[.]234[.] 140[.]130

181[.]16[.]40[.] 119

89[.]31[.]121[.]101

104[.]234[.] 140[.]131

185[.]217[.]69[.]124

91[.]219[.]238[.]78

104[.]234[.] 140[.]132

210[.]184[.]128[.]216

92[.]38[.]162[.]11

104[.]234[.] 140[.]133

223[.]104[.]125[.]59

94[.]158[.]247[.]12

104[.]234[.] 140[.]134

31[.]171[.]130[.]5

104[.]234[.] 140[.]135

38[.]154[.]237[.]100

Recommended measures

• July 19, 2025: Until a patch is available, Microsoft recommends the following: Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center
• July 21, 2025: Microsoft patches are available. Here is the link to download them.

Additional recommendations from Streamscan

• Block the following network IOCs.
• Apply Microsoft patches
• Ensure that EDR is installed on your internal SharePoint server
• Set up geolocation to limit external connection attempts to your network.
• Ensure that your network security is actively monitored

What is Streamscan doing to protect you?

If you are a Streamscan partner and use our technologies or MDR monitoring service, please note that:

• We have set up a crisis unit to monitor developments related to this critical vulnerability. We will implement the appropriate response measures.
• The network IOCs involved in the attack are being monitored by our security tools: Streamscan XDR, Streamscan EDR, Streamscan IDS/IPS/NDR, etc.
• Our MDR security monitoring team remains vigilant while monitoring your network.

Need help? Talk to one of our experts or call us at +1 877 208-9040.