CISA has issued an urgent alert regarding CVE-2025-53770, a critical zero-day remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server installations. This vulnerability is actively being exploited in the wild, posing an immediate and severe threat to organizations, especially those with public-facing SharePoint environments. Tracked under CWE-502, the flaw arises from the deserialization of untrusted data, enabling attackers to craft malicious payloads that, once processed by the SharePoint server, lead to arbitrary code execution without requiring user authentication.

The affected versions include Microsoft SharePoint Server Subscription Edition, 2019, and 2016 (all on-premises). With a CVSS score (Critical), this vulnerability allows attackers to remotely execute code as long as the vulnerable server is reachable over the network no valid credentials are required. Due to the zero-day nature of the exploit, adversaries were already weaponizing this vulnerability before Microsoft released security patches, giving them a significant head start in targeting exposed systems.

In response to this active exploitation, CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog on July 20, 2025, mandating remediation by July 21, 2025 for federal agencies. Organizations are advised to enable Anti-Malware Scan Interface (AMSI) integration and deploy Microsoft Defender Antivirus across all SharePoint servers. If AMSI cannot be enabled, CISA strongly recommends disconnecting public-facing SharePoint servers from the internet to reduce risk exposure until proper patches or mitigations are available.

Due to the high risk and the nature of exploitation, organizations not in a position to apply mitigations immediately are urged to consider halting use of the affected products entirely. In addition to compliance with Binding Operational Directive BOD 22-01, CISA’s guidance underscores the urgency and potential for widespread compromise, hinting at possible links to broader campaigns, though specific ransomware involvement has not yet been confirmed. All organizations running SharePoint on-premises should prioritize mitigation to protect against this critical threat.