Microsoft is releasing out-of-band security updates for SharePoint Server 2019 and SharePoint Server Subscription Edition, following a warning that vulnerable versions were now under attack.
If AMSI can’t be enabled, Microsoft’s advice is blunt: “We recommend you consider disconnecting your server from the internet until a security update is available
The fixes are related to CVE-2025-53770, a remote code execution vulnerability, and CVE-2025-53771, a path traversal vulnerability.
Microsoft has advised administrators of on-premises SharePoint Server 2019 and SharePoint Server Subscription Edition to apply the fixes immediately. SharePoint Server 2016 is also affected, but has yet to receive its fixes. At the time of writing, Microsoft said it was “actively working on updates.”
The company has not elaborated on why the security patches issued earlier in July only “partially addressed” the issues. As previously reported, SharePoint Online is not affected. It appears that attackers were able to bypass Microsoft’s July fix, resulting in the discovery of two new zero-day vulnerabilities.
As well as instructing administrators to ensure their servers are up to date and patched, Microsoft has also said that the Antimalware Scan Interface (AMSI) integration in SharePoint should be set to Full Mode and that admins should deploy Defender Antivirus to all SharePoint Servers to “stop unauthenticated attackers from exploiting this vulnerability.”
AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016 / 2019, as well as the 23H2 update for SharePoint Server Subscription Edition.
However, if AMSI can’t be enabled, Microsoft’s advice is blunt: “We recommend you consider disconnecting your server from the internet until a security update is available.”
As vulnerabilities go, this is a particularly bad one. If an attacker were able to gain access to an organization’s SharePoint, then there is a very good chance that, due to the interconnected nature of the service, they will also be able to access other data. In addition, simply installing the patches (currently only for SharePoint Server 2019 and Subscription Edition) won’t necessarily solve the problem; hence, the instruction to “Rotate SharePoint Server ASP.NET machine keys.”
Talking to Forbes, Michael Sikorski, head of threat intelligence for Unit 42 at Palo Alto Networks, said, “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.” ®