Sharepoint Zero Day, Immediate Action Required

A zero day vulnerability in Microsoft Sharepoint (Sharepoint) is being actively exploited in the wild, allowing threat actors to gain access to Sharepoint systems. All internet-exposed SharePoint systems must be taken offline until they can be updated. They should not be placed back in service without review/approval from IA.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

A remote code execution (RCE) vulnerability enables unauthorized access to SharePoint servers. This allows unauthenticated access to systems and enables threat actors to fully access SharePoint content, including file systems and internal configurations, and to execute code over the network. It can also allow the threat actor to gain persistence on the Sharepoint system. Because Sharepoint may be connected to other systems, this creates a risk to any system attached to that Sharepoint instance.

This threat is being actively exploited in the wild. Palo Alto suggests assuming any SharePoint service that has been exposed to the internet in recent days is already compromised in some way (data accessed, persistence and other actions attempted, etc.).

All units with a Sharepoint system should take the following steps:

• All internet-exposed SharePoint systems must be taken offline until they can be updated. They should not be placed back in service without review/approval from IA.
• All units running SharePoint should notify IA regardless of current status.
• Units will need to tell IA if their SharePoint instance is exposed to access from the internet, the version, and whether it is patched and the keys have been rotated.
• Units should follow the guidance in Customer guidance for SharePoint vulnerability CVE-2025-53770 (Microsoft MSRC, 7-19-2025)

IA will help to ensure the latest guidance is followed and remediation steps are taken, and will also check for possible sensitive data exposure, before Sharepoint systems are put back online.

If you are using Sharepoint 2016, which does not have patches available yet, you will need to take your Sharepoint system offline until the vulnerability can be addressed. 

Patches that are available as of this notice:

• For Microsoft SharePoint Server 2019, see the KB5002754 update.
• For Microsoft SharePoint Subscription Edition, see the KB5002768 update.

Using ToolShell, threat actors can extract Sharepoint's ValidationKey directly from memory or configuration then use it to craft fully valid, signed __VIEWSTATE payloads. This allows the threat actor to create their own valid SharePoint tokens for RCE. Commands sent using this form of RCE are considered trusted input, and can be run without further authentication.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon is able to detect and prevent some intrusions by threat actors attempting to exploit this Sharepoint vulnerability. While this may assist unit IT staff and IA during remediation efforts, Action Items above must still be followed.

Please contact ITS Information Assurance through the ITS Service Center.

• Customer guidance for SharePoint vulnerability CVE-2025-53770 (Microsoft MSRC, 7-19-2025)
• SharePoint 0-day uncovered (CVE-2025-53770) (Eye, 7-19-2025)
• New zero-day bug in Microsoft SharePoint under widespread attack (TechCrunch, 7-21-2025)
• Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) (CISA.gov (7-20-2025)
• Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks (Bleeping Computer, 7-21-2025)
• Microsoft SharePoint Server Spoofing Vulnerability (Microsoft MSRC, 7-20-2025)