Microsoft has published a security advisory detailing a vulnerability affecting on-premises SharePoint Server instances.

This vulnerability allows an attacker to remotely execute arbitrary code via the deserialisation of untrusted data. A separate vulnerability, CVE-2025-53771, allows this attack to be performed while bypassing authentication.

Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK.

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, Microsoft has released security updates that fully protect organisations using SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016 against the risks posed by CVE-2025-53770 and a related vulnerability, CVE-2025-53771. These updates should be applied immediately to ensure installations are protected.

In addition to applying the specific security update for your version of SharePoint, Microsoft also recommend the following steps be taken to mitigate potential attacks:

1. Use supported versions of on-premises SharePoint Server.

2. Ensure the Anti-malware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus.

3. Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions.

4. Rotate SharePoint Server ASP.NET machine keys.

Detailed guidance for each step as well as detection, protection, and hunting, is provided on Microsoft’s website.

If you believe you have been compromised and are in the UK, you should report it to the NCSC.