CVE-2025-53771: 
vulnerability analysis and mitigation

CVE-2025-53771 is a spoofing vulnerability in Microsoft SharePoint Server that allows an authorized attacker to perform spoofing over a network through improper limitation of a pathname to a restricted directory ('path traversal'). This vulnerability was discovered alongside CVE-2025-53770 and is actively being exploited in the wild since July 18, 2025. The vulnerability affects on-premises SharePoint servers including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, while SharePoint Online in Microsoft 365 is not impacted (Microsoft Blog, Wiz Blog).

CVE-2025-53771 has been assigned a CVSS score of 6.3 and is characterized as a header spoofing vulnerability in SharePoint's request handling. The vulnerability allows attackers to bypass authentication by crafting a request that mimics a legitimate SharePoint workflow using a forged Referer header. The vulnerability is often chained with CVE-2025-53770 in the 'ToolShell' exploit chain, where CVE-2025-53771 enables unauthenticated access through auth bypass. This vulnerability is a bypass of the fix for the earlier CVE-2025-49706 (Wiz Blog, Trend Micro).

The vulnerability enables attackers to bypass authentication mechanisms and perform spoofing attacks over a network. When chained with CVE-2025-53770, it creates a critical attack vector that allows unauthenticated remote code execution on affected SharePoint servers. According to security researchers, at least 85 servers worldwide have been compromised, including several multinational corporations and national government entities (Bleeping Computer).

Microsoft has released security updates that address both CVE-2025-53771 and CVE-2025-53770. The patches include KB5002768 for SharePoint Server Subscription Edition, KB5002754 for SharePoint Server 2019, and KB5002760 for SharePoint Server 2016. For systems that cannot immediately apply patches, Microsoft recommends enabling AMSI (Antimalware Scan Interface) in Full Mode, deploying Microsoft Defender for Endpoint protection, and rotating SharePoint Server ASP.NET machine keys. If AMSI cannot be enabled, servers should be disconnected from the internet until patches can be applied (Microsoft Blog, Bleeping Computer).

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, giving federal agencies one day to apply patches when released. CISA's Acting Executive Assistant Director for Cybersecurity Chris Butera stated they are working with Microsoft to help notify potentially impacted entities about recommended mitigations (Bleeping Computer).