Critical Microsoft SharePoint Zero-Day Under Active Exploitation: Google Threat Experts Warn Immediate Action Required

A newly discovered Microsoft SharePoint vulnerability - designated CVE-2025-53770 - is being actively exploited in the wild, with Google’s Threat Intelligence Group warning that attackers are using the flaw to implant webshells and steal sensitive cryptographic secrets from compromised servers.

Unlike typical vulnerabilities addressed via a routine patch, this zero-day poses a more complex challenge. Organisations running on-premises SharePoint instances exposed to the internet are at immediate risk, according to Charles Carmakal, CTO of Mandiant Consulting (Google Cloud). In guidance shared via LinkedIn, Carmakal stressed that applying mitigations immediately is critical, and organizations should assume potential compromise has already occurred.

“This isn’t an ‘apply the patch and you’re done’ situation,” Carmakal advised. He emphasised a multi-step response; implement available mitigations now, patch as soon as Microsoft releases an update, investigate for signs of compromise, and remediate accordingly.

Microsoft has yet to release an official patch but is expected to issue an emergency out-of-cycle update in response to the active exploitation. Notably, Microsoft 365's SharePoint Online is not impacted.

The Google Threat Intelligence team has identified ongoing attacks where cybercriminals gain persistent, unauthenticated access, enabling long-term intrusion capabilities on victim networks. Organizations are urged to move quickly to mitigate potential damage.

The situation highlights the increasing importance of real-time intelligence sharing between cloud providers and software vendors, as attackers increasingly target widely deployed enterprise platforms with zero-day exploits.

© Scoop Media