English 
Microsoft has applied security patches for two critical SharePoint zero-day vulnerabilities that have already been exploited by hackers. In response to these vulnerabilities, the company has released fixes for SharePoint Server Subscription Edition and SharePoint Server 2019. Meanwhile, a patch for SharePoint Server 2016 is still in development. The two vulnerabilities, identified as CVE-2025-53771 and CVE-2025-5377, only affect on-premise versions of SharePoint and do not impact organizations using the cloud-based SharePoint Online. CVE-2025-53771 is rated important and is defined as a spoofing vulnerability in SharePoint Server. The vulnerability allows attackers to impersonate legitimate trusted users and resources within a SharePoint environment. Meanwhile, CVE-2025-53770 is rated “critical” and is a remote code execution vulnerability in SharePoint Server that could allow hackers to execute arbitrary code remotely on a SharePoint environment. Trey Ford, chief information security officer (CISO) of crowdsourced cybersecurity provider Bugcrowd, told ZDNET: “CVE-2025-53770 gives threat actors the ability to execute code remotely, circumventing identity protections (such as single sign-on and multi-factor authentication) and accessing content on a SharePoint server, including configuration and system files. It could also allow lateral access across a Windows domain.” The combination of these two vulnerabilities allows cybercriminals to install malicious programs in a SharePoint environment and compromise the system.
And in fact, such attacks are already occurring. Federal and state government agencies, universities, energy-related companies, and others in the United States have already been attacked by hackers, state officials and private researchers told The Washington Post. Researchers say that at least two US federal agencies’ SharePoint servers have been compromised. One state official also said that the attackers “hijacked” documents that help understand how the government works. Why did Microsoft leave these security flaws alone until the situation became so serious? The company tried to fix both the spoofing and remote code execution vulnerabilities in SharePoint Server in its patch Tuesday (CVE-2025-49706, CVE-2025-49704, CVE-2025-49701) released on July 8. However, these fixes apparently did not work completely and were circumvented by a skilled hacker. Here’s hoping that the new patch works properly. In its FAQs for many CVEs, Microsoft explains that “the update for CVE-2025-53770 provides more robust protection than the update for CVE-2025-49704, and the update for CVE-2025-53771 also provides more robust protection than the update for CVE-2025-49706.” The question of why a company like Microsoft would continue to expose its customers to such security flaws persists. The underlying issue is the increasing complexity of different customer environments. Ford writes that “patches are rarely fully comprehensive, and the code base is highly complex and has many different implementations.” He adds that “this makes the test harness and regression testing process extremely complex. In an ideal world, everyone would be running the latest version of the code fully patched. But that’s not realistic, so feature development must be tested across an exponentially expanding surface area of complexity.” A day before Microsoft rolled out the new patch on the 20th, security firm Eye Security warned about a vulnerability in SharePoint. “On the evening of July 18, 2025, Eye Security first identified a new SharePoint remote code execution (RCE) vulnerability chain being exploited at scale,” the company said. It added, “The exploit, which was demonstrated on ‘X’ a few days ago, is being used to target on-premise SharePoint servers around the world. Our team scanned over 8,000 SharePoint servers around the world before the vulnerability was made public last Friday, and we observed dozens of systems being actively compromised in two waves of attacks, at approximately 18:00 UTC on July 18 and 07:30 UTC on July 19.” Eye Security has named the security flaw “ToolShell” and detailed how the attack could compromise SharePoint environments. Hackers could circumvent security protections to execute code remotely and gain access to SharePoint content, system files and configuration information.
Moreover, by stealing encryption keys, hackers can impersonate users and services even if the server has been patched. Because SharePoint is integrated with other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move across the network to steal related passwords and data. For organizations that run SharePoint Server, Microsoft has revealed the steps to fix this vulnerability. If you are using SharePoint Server Subscription Edition, you will need to visit a dedicated update page to download and install the patch. Meanwhile, organizations using SharePoint Server 2019 can access the corresponding patch by visiting a separate update page. They also advise taking several measures to protect themselves against future attacks. Supported versions of SharePointEnsure that you are using Microsoft Windows Server 2016 and Windows Server 2016. Ensure that you have the latest security patches, including the July patch. Ensure that you have enabled Windows Antimalware Scan Interface (AMSI). Also, ensure that antivirus products such as Defender Antivirus are properly configured. Deploy security software such as Microsoft Defender for Endpoint. Regularly rotate the ASP.NET machine key for your SharePoint Server. Currently, users of SharePoint 2016 are still at risk from exploits.
こちらもお読みください: BlackBerry, EC-Council Boost Malaysia’s Cyber Workforce
However, Microsoft is expected to provide a patch for this version soon. Therefore, you should continue to check the company’s guidance page for SharePoint customers for the latest updates. Ford offers further advice to organizations that run SharePoint servers. “If you’re running your own services on-premise, you should ask yourself whether they really need to be exposed to the internet or accessible to untrusted third parties,” he said. He continued, “It’s always wise to reduce your attack surface, and you should minimise the number of hosts and services available to the general public, untrusted users, whenever possible.” This article was edited for Japan by Asahi Interactive from an article published by Ziff Davis overseas.The company has applied security patches to the vulnerabilities . In response to these vulnerabilities, the company has released fixes for SharePoint Server Subscription Edition and SharePoint Server 2019. Meanwhile, a patch for SharePoint Server 2016 is still in development. These two vulnerabilities, identified as CVE-2025-53771 and CVE-2025-5377, only affect on-premise versions of SharePoint and do not impact organizations using the cloud-based SharePoint Online . CVE-2025-53771 is rated as important and is defined as a spoofing vulnerability in SharePoint Server. This vulnerability allows attackers to spoof trusted users and resources in the SharePoint environment.
Meanwhile, CVE-2025-53770 is rated as critical and is a remote code execution vulnerability in SharePoint Server that could allow hackers to remotely execute arbitrary code on the SharePoint environment. Trey Ford, chief information security officer (CISO) of crowdsourced cybersecurity provider Bugcrowd, told ZDNET: “CVE-2025-53770 gives threat actors the ability to execute code remotely, circumvent identity protections (such as single sign-on and multi-factor authentication), and access content on SharePoint servers, including configuration and system files. It could also allow lateral access across Windows domains.” The combination of these two vulnerabilities allows cybercriminals to install malicious programs in SharePoint environments and compromise systems. And in fact, such attacks are already occurring. Hackers have already attacked federal and state government agencies, universities, energy companies, and more in the U.S., state officials and private researchers told The Washington Post. Researchers say that SharePoint servers at at least two U.S. federal agencies have been compromised. A state official also said that attackers “‘hijacked’ documents that are used to understand how the government works.” Why did Microsoft allow these security flaws to continue until they became so serious? The company tried to fix both the spoofing and remote code execution vulnerabilities in SharePoint Server in its patch Tuesday (CVE-2025-49706, CVE-2025-49704, CVE-2025-49701) released on July 8. However, these fixes apparently did not work completely and were circumvented by a skilled hacker. Here’s hoping that this new patch will work properly.
Microsoft explains in its FAQs (frequently asked questions) about many CVEs that “the update for CVE-2025-53770 provides more robust protection than the update for CVE-2025-49704. The update for CVE-2025-53771 also provides more robust protection than the update for CVE-2025-49706.” The question of why a company like Microsoft would continue to expose its customers to such security flaws persists. The problem behind this is the increasing complexity of customer-specific environments. “Patches are rarely fully comprehensive, and the code base is highly complex and has many different implementations,” Ford said. “This makes the test harness and regression testing process extremely complex. In an ideal world, everyone would be running the latest version of code fully patched. But that’s not realistic, so feature developments must be tested across an exponentially growing surface area of complexity.” The day before Microsoft rolled out the new patches on the 20th, security firm Eye Security warned about the vulnerability in SharePoint. “On the evening of July 18, 2025, Eye Security first identified a new SharePoint remote code execution (RCE) vulnerability chain being exploited at scale,” the company said. In addition, “The exploit, which was demonstrated at ‘X’ a few days ago, is being used to target on-premise SharePoint servers around the world. Our team scanned over 8,000 SharePoint servers around the world before this vulnerability was made public last Friday, and we observed dozens of systems being actively compromised in two waves of attacks, at around 18:00 UTC on July 18 and 07:30 UTC on July 19.” Eye Security has named the security flaw “ToolShell” and detailed how the attack can compromise SharePoint environments. Hackers can circumvent security protections and execute code remotely, gaining access to SharePoint content, system files and configuration information. In addition, stealing encryption keys can allow them to impersonate users and services, even if the server has been patched. SharePoint is integrated with other Microsoft services, such as Outlook, Teams and OneDrive, allowing hackers to move across networks to steal related passwords and data. For organizations running SharePoint Server, Microsoft has outlined how to remediate the vulnerability. If you are using SharePoint Server Subscription Edition, you will need to visit a dedicated update page to download and install the patch. Organizations using SharePoint Server 2019, on the other hand, can find the patch on a separate update page .A patch is now available to protect against future attacks. Ford also advises organizations to take several steps to protect themselves against future attacks: Use a supported version of SharePoint Server Ensure that you have the latest security patches, including the July patch Make sure that you have the Windows Antimalware Scan Interface (AMSI) enabled Ensure that you have an antivirus product, such as Defender Antivirus, properly configured Deploy security software, such as Microsoft Defender for Endpoint Rotate the ASP.NET machine key for your SharePoint Server regularly Currently, users of SharePoint 2016 are still at risk from the exploit.
しかし、 マイクロソフト is expected to provide a patch for this version soon. Therefore, you should continue to monitor the company’s guidance page for SharePoint customers for the latest updates. Ford offers further advice to organizations that run SharePoint servers. “If you’re running your own services on-premise, you should ask yourself whether they really need to be exposed to the internet or accessible to untrusted third parties,” he said. He also said, “It is always wise to reduce your attack surface area, and the number of hosts and services available to general, untrusted users should be minimized wherever possible.” This article was edited for Japan by Asahi Interactive from an article published by Ziff Davis overseas.
ソース ヤフー
日本語