Urgent Alert for SharePoint Zero-Day: Protect Your Servers Before It’s Too Late

by
Protect your small business from the active SharePoint zero-day threat. Follow urgent tips to secure vulnerable on-prem servers from remote code attacks.

Stop what you’re doing and pay urgent attention: if your small business is running an on-premises SharePoint server, it’s time to take action! A dangerous SharePoint zero-day vulnerability is out in the wild, and it’s already hitting companies hard. Over 75 organizations have been compromised as of now. The attack abuses a Remote Code Execution (RCE) flaw, meaning hackers can completely hijack your server without needing to log in. This isn’t abstract cybersecurity doom-speak, this is real, it’s active, and your on-prem servers may already be at risk if you haven’t taken immediate action.

This vulnerability, tracked as CVE-2025-53770 and CVE-2025-53771, is being exploited right now, and Microsoft hasn’t released full patches for all affected versions yet. A detailed breakdown was reported by BleepingComputer in their SharePoint alert coverage. If you’re still hosting SharePoint on your own servers (rather than using Microsoft’s cloud version), you’ve got work to do. Let’s walk through what this means for your business and what to do right now.

What Small Businesses Must Know About the SharePoint Zero-Day Threat

This SharePoint zero-day vulnerability is a ticking time bomb for on-prem environments. If you’re running SharePoint 2016, 2019, or even the Subscription Edition, your systems could already be compromised. Attackers are using this exploit to execute malicious code straight on your servers. Imagine someone sitting at your computer, able to run whatever they want without your permission. Small businesses often don’t have deep IT resources or dedicated cybersecurity teams, which makes them a prime target for these kinds of attacks.

Here’s the good news: if you’re using SharePoint Online, which is Microsoft’s cloud-based version, you’re safe from this specific threat. But if any of your systems run on-premises SharePoint, you need to act fast. Speaking from experience, many small businesses still keep some legacy systems in-house for compliance or cost reasons. That’s understandable, but it also means you’re part of the vulnerable crowd. Let’s make sure you’re not next on the attackers’ list.

How the Vulnerability Works (No Tech Degree Needed)

The SharePoint zero-day flaw is a so-called “remote code execution” (RCE) vulnerability. That’s a mouthful, but here’s the plain English version: a hacker sends a specially crafted web request to your SharePoint server, and if it’s vulnerable, they get to run whatever programs they want on your machine. No login, no warning bells, just boom, you’re owned.

What’s making this even scarier is that this is being actively abused as of July 18, 2025. If you’re not running up-to-date monitoring or logging, you might have already been compromised and not even know it. These kinds of attacks like to stay quiet until your data gets stolen or your employees click on invoices they didn’t send. The tell? Odd behavior like strange logins, sluggish server performance, or antivirus alerts that magically stop after a day. That’s not luck, that’s someone trying to stay hidden.

Mitigation Tips While You’re Waiting on Full Patches

Until Microsoft drops patches for all affected versions, there are steps you can take right now to reduce the risk. First, make sure you’ve enabled something called AMSI, Antimalware Scan Interface, on your SharePoint servers. It works with your antivirus to scan scripts and catch fishy behavior before damage happens. If you can, install Microsoft Defender for Endpoint (yeah, it’s a mouthful, but it’s a solid line of defense). This will give you better visibility into what’s happening on your servers in real time.

If AMSI can’t be enabled for some reason, such as policy restrictions or legacy server configurations, then you’ve got a harder (but safer) option: fully disconnect your SharePoint server from the internet. That means no public access until the patch is out. It’s drastic, sure, but sometimes you’ve got to move fast to stay alive. Better some temporary downtime than permanent data loss.

Where to Find Updates and What to Do Next

If you’re running SharePoint Subscription Edition, you’ve got a head start; Microsoft has already released a security update. Head over to your admin center and apply the July 2025 update package immediately. For SharePoint 2016 and 2019, updates are coming “soon,” which, from my experience, usually means within a week or two. Set a reminder, check Microsoft’s update catalog every morning, and don’t push it off. This is the kind of patch that jumps to the top of your task list.

Beyond just applying patches, take these bonus steps: rotate your ASP.NET machine keys, which are like internal session keys used by apps for extra security, and restart IIS, the service that runs your web server. That might sound too technical, so if you’re unsure, get your IT folks or MSP (Managed Service Provider) to follow up. They’ll know what that means. Even a temporary consultation could save you from bigger problems later.

Spotting the Signs: How to Detect a SharePoint Zero-Day Breach

Wondering if you’ve already been compromised by this SharePoint zero-day? One good sign to look for is strange POST requests to pages like the following in your server logs. 

/_layouts/15/ToolPane.aspx?DisplayMode=Edit

Those requests don’t normally show up much unless someone is messing with web parts in SharePoint Designer or scripting an exploit. Even if you’ve never looked at logs before, now’s a good time to start. It’s like checking video security tapes after a break-in.

Also, keep an eye out in your SIEM, if you’re using one (that’s a fancy log monitoring tool), and definitely monitor your antivirus alerts. The CISA (Cybersecurity and Infrastructure Security Agency) has already published some known malicious IP addresses tied to this exploit, block them if you run a firewall or manage DNS filtering. This is about spotting the attack before it does too much damage, or catching it in progress, while you can still fight back.

Your SMB Action Plan: Stay One Step Ahead

If you’re a small business owner, here’s what you need to do: start by identifying whether you even have on-prem SharePoint servers. It’s surprising how many folks are running them and don’t realize it. Maybe it was installed years ago by a vendor or used for a project that’s still hanging around. Next, apply the mitigations we talked about, enable antivirus integrations like AMSI, limit outside access, and disconnect if it comes to it.

Segment those servers using a DMZ (demilitarized zone) network layout if you can; basically, don’t let those servers talk too much with the rest of your systems. If an attacker does get through, you want limits on where they can go from there. Also, this might be the most critical part: test your backups. Not just that they’re running, but that you can restore from them. If you get hit and your only recovery option fails… that’s game over. Educate your team, too, and make sure employees know to report suspicious alerts and vendor updates ASAP.

Building Long-Term Resilience Against Future Zero-Days

This likely won’t be the last SharePoint zero-day we see, and honestly, it’s just one of many lurking under the surface in various on-premises systems. If your business is sticking with self-hosted software, plan to invest in layered protection, strong endpoint security, DNS filtering, user education, and proper logging go a long way. And consider moving mission-critical parts of your collaboration stack to SaaS (software-as-a-service) platforms when possible. The cloud’s not perfect, but Microsoft shoulders the patching burden a lot faster when it controls the hosting.

If you’re overwhelmed or stretched thin, you’re not alone, plenty of small businesses don’t have a dedicated cybersecurity department. But you can still set up basic security hygiene. Even things like multi-factor authentication (MFA), timely patching schedules, and limiting admin permissions go a long way. Long story short: don’t wait for the next breach story in the news to take action. You’ve got tools, support, and knowledge now, make them count.

If you’ve read this far and still haven’t checked your SharePoint setup, go do that right now. This SharePoint zero-day issue is not going to wait politely while you finish your coffee. If you’re unsure what version you’re running, ask your IT provider or log in to your central admin dashboard. Being proactive now could spare you some major headaches later.

And hey, if you want more tips like this, plus up-to-date guidance on the latest threats, breaches, and fixes tailored for small business operations, sign up for our newsletter. We cut through the noise and give you the facts you need, fast. Drop your name below and stay ready for what’s coming next.

#CyberSecurity #SmallBusiness #ZeroDay #SharePoint #MicrosoftSecurity #CyberAttack #InfoSec #DataBreach #SMBSecurity #Ransomware

Protect Your Small Business from Cyber Threats. Signup for our newsletter and ...

Download the Essential Cybersecurity Checklist Today!

We don’t spam! Read our privacy policy for more info.

After 30 years in cybersecurity, I’ve stepped away from the 9-to-5 grind, but not from the mission. Today, I help small businesses protect what matters most with clear, expert cybersecurity advice, no jargon, just proven strategies that work.

When I’m not helping business owners stay one step ahead of cyber threats, you’ll find me exploring the world underwater as a PADI Master Scuba Diver Trainer and Diveheart Adaptive Scuba Instructor or planning my next world travel adventure with my bride of almost 35 years (our travel mantra is "Spend the inheritance before the kids get it!")

Whether you’re looking for a trusted advisor, a guest speaker, a mentor, or just someone to share travel and scuba stories with (I take pretty good underwater pictures), let's connect.

Leave a Comment