Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-53771
CVE-2025-53771:
vulnerability analysis and mitigation
Overview
CVE-2025-53771 is a spoofing vulnerability in Microsoft SharePoint Server that allows an unauthorized attacker to perform spoofing over a network. This vulnerability, with a CVSS score of 6.3 (Medium), was discovered in July 2025 and affects on-premises SharePoint Server deployments. It is a bypass variant of the previously patched vulnerability CVE-2025-49706 (Microsoft Blog, Wiz Blog).
Technical details
The vulnerability stems from a header spoofing flaw in SharePoint's request handling system. By forging the Referer header to '/_layouts/SignOut.aspx', an attacker can make SharePoint treat unauthorized requests as authenticated. This vulnerability is often chained with CVE-2025-53770 in the 'ToolShell' exploit chain to achieve remote code execution. The vulnerability has a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (NVD, Orca Security).
Impact
When exploited, this vulnerability allows attackers to bypass authentication mechanisms in SharePoint Server, potentially leading to unauthorized access to sensitive information and system resources. When chained with CVE-2025-53770, it enables attackers to achieve unauthenticated remote code execution on affected systems (Trend Micro).
Mitigation and workarounds
Microsoft has released security updates to address this vulnerability: KB5002768 for SharePoint Server Subscription Edition, KB5002754 for SharePoint Server 2019, and KB5002760 for SharePoint Server 2016. For systems that cannot immediately apply patches, Microsoft recommends enabling AMSI in Full Mode and rotating SharePoint Server ASP.NET machine keys. If AMSI cannot be enabled, affected servers should be disconnected from the internet until patches can be applied (Microsoft Blog).
Community reactions
The cybersecurity community has responded quickly to this threat, with CISA adding the related CVE-2025-53770 to its Known Exploited Vulnerabilities catalog. Security researchers from various organizations have published detailed analyses and detection methods. According to Orca Security, approximately 13% of cloud environments run vulnerable self-hosted SharePoint components, with 6% directly exposed to the internet (Orca Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management