22-07-2025
Microsoft SharePoint hack: CERT-In flags ongoing threat, follow these steps to secure your systems
CERT-In, India's nodal cybersecurity agency, has flagged multiple vulnerabilities in Microsoft SharePoint Server that have been actively exploited by hackers to access sensitive user data or compromise systems through spoofing attacks.
SharePoint Server 2019 and SharePoint Enterprise Server 2016 as well as the subscription edition of the platform deployed by organisations on-premises have been affected in the hack, according to a CERT-In advisory issued on Tuesday, July 22, with a 'Critical' severity rating.
SharePoint is a web-based collaboration and document management platform developed by Microsoft. It allows organisations to create, manage, and share content and applications in a centralised environment.
All end-user organisations and individuals using affected Microsoft SharePoint Server installations are at risk of unauthorized access to sensitive data, remote code execution, and potential disruption of services, the cybersecurity watchdog said.
'A remote attacker could exploit these vulnerabilities by sending specially crafted requests to the targeted system. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access sensitive data, or perform spoofing attacks on the targeted system,' CERT-In said, adding that the vulnerabilities are being actively exploited in the wild.
CERT-In has published Vulnerability note on its website (22-07-2025)
Multiple vulnerabilities in Microsoft SharePoint Serverhttps://
— CERT-In (@IndianCERT) July 22, 2025
The warning comes a day after researchers on Monday, July 21, uncovered a sweeping cyber espionage operation targeting Microsoft server software that has resulted in at least 100 organisations being compromised, according to a report by Reuters.
Most of the affected organisations are located in the United States and Germany, as per the Shadowserver Foundation, a California-based non-profit cybersecurity organisation. Microsoft on July 19, issued an alert about 'active attacks' on self-hosted SharePoint servers. However, SharePoint instances run off of Microsoft servers were unaffected.
'Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution,' Satnam Narang, Senior Staff Research Engineer at Tenable, said in a statement to
It is not clear who is behind the ongoing 'zero-day' attack, which is a hack that is carried out by exploiting a vulnerability that was previously undisclosed. However, Google researchers have tied at least some of the hacks to a 'China-nexus threat actor.'
In response, Microsoft has rolled out security updates and CERT-In, in its advisory, encouraged customers to install them in order to address the vulnerabilities. According to Narang, organisations can find out if their systems have been compromised in the hack by searching for indicators such as 'a file created on the vulnerable servers called
In addition to applying the security updates, CERT-In suggested the following mitigation measures for affected organisations:
– Rotate the MachineKey values (ValidationKey and DecryptionKey) after applying the updates to invalidate any
compromised credentials.
– Enable AMSI (Antimalware Scan Interface) integration in SharePoint to enhance detection of malicious activity.
– Deploy Microsoft Defender Antivirus or a compatible endpoint protection solution with updated signatures.
– Scan SharePoint directories (e.g., LAYOUTS folder) for unauthorized ASPX files such as
– Monitor systems for suspicious process activity such as spawning or
– Restrict external access to on-premises SharePoint servers where feasible until patched.
