New SharePoint Security Flaw Exposes Businesses
- SystemsCloud
- Jul 21
- 3 min read
A new critical zero-day vulnerability in Microsoft SharePoint Server is being actively exploited in a global cyberattack campaign. Exploited in the wild and listed under CVE-2025-53770, over 85 servers across 54 organisations have been compromised, including governments, multinational firms and banks.
The flaw allows attackers to run malicious code remotely without any login or authentication and currently, no official patch exists.
If your business relies on SharePoint for document storage or internal collaboration, here’s what you need to know and why some SMEs are moving towards VDI (Virtual Desktop Infrastructure) instead.
What Is CVE-2025-53770 and Why It Matters
Dubbed “ToolShell”, the exploit allows attackers to:
Execute remote code without login credentials
Install persistent backdoors (web shells)
Steal cryptographic keys from your SharePoint server
Forge tokens to stay inside your system — even after updates are applied
Unlike previous vulnerabilities, this exploit bypasses authentication entirely. It is a variant of a spoofing flaw (CVE-2025-49706) previously patched, but this version is new and unpatched.
🔒 Who’s Affected?
✅ NOT affected: Microsoft 365 users using SharePoint Online
❌ At risk: On-premises Microsoft SharePoint Server (any version still in use internally)
❗️Especially at risk: Servers exposed to the internet, or not running antivirus with AMSI (Antimalware Scan Interface)
Eye Security, the Dutch firm that first observed the attacks, warned that attackers are “moving quickly using this RCE vulnerability” and targeting government and private-sector infrastructure alike.⚠️ What SMEs Should Know and Do Now
Many small to mid-sized businesses are still running local SharePoint servers, often inherited from older IT builds, under the assumption they’re “secure because they’re internal.” This exploit disproves that.
If you're in that group:
🔧 Microsoft’s Recommendations (as of 15 July 2025):
Immediately enable AMSI (Antimalware Scan Interface) on all SharePoint Servers
Deploy Microsoft Defender Antivirus with real-time scanning
Disconnect servers from the internet if AMSI cannot be configured
Monitor systems for suspicious file uploads, unknown processes or outbound connections
Even cloud-based SharePoint setups depend heavily on correct admin configurations. One misstep can leave sensitive client documents, HR records, or financial data exposed.
🔄 Should SMEs Still Be Using SharePoint On-Prem?
The real issue here isn’t just one vulnerability, it’s the growing maintenance burden of keeping complex, locally hosted systems patched, monitored, and secure.
For smaller teams with limited IT resource, SharePoint can quickly become a liability, especially when:
Patch management is delayed
Antivirus isn’t integrated with the SharePoint server
Users sync local copies of sensitive files to devices
Access is shared externally via email links or guests
💡 Why VDI Might Be the Safer, Simpler Option
While SharePoint is a common collaboration tool, many businesses don’t realise they’re taking on unnecessary complexity and risk — especially when users access files from unmanaged devices.
VDI (Virtual Desktop Infrastructure), especially when delivered via a managed provider, creates a controlled, secure digital workspace where:
Users access files and apps through a secure desktop session
Nothing is stored locally on devices
All activity remains inside a centralised environment
Access controls and permissions are easier to enforce
Vulnerabilities in file-sharing systems (like SharePoint) are no longer a direct threat
🆚 SharePoint vs. VDI: A Quick Comparison
For SMEs dealing with sensitive data (law, finance, property, healthcare), VDI — where staff work in a controlled, secure hosted desktop — offers more protection:
Feature | SharePoint | VDI |
File Access | Web-based, syncs to devices | Accessed within secure desktop |
Security Risk | Exposed to external login vulnerabilities | Files and apps never leave server |
Device Control | Depends on user machine security | Full control over session environment |
User Experience | Familiar document management | Full Windows desktop or app portal |
Ransomware Risk | High if synced locally | Minimal if properly isolated |
Setup Complexity | Needs configuration, admin training | Managed VDI can be provisioned quickly |
What Now?
If you're unsure which SharePoint version you’re using or whether AMSI is even enabled, speak to your IT provider immediately.
And if you’re still using on-premise file systems or hybrid storage models, now is the time to rethink it. VDI or secure cloud workspaces offer better:
Access control
Device isolation
Centralised management
Resilience to zero-day threats like CVE-2025-53770
The Bottom Line
SharePoint is widely used and can be powerful, but it’s only as secure as its configuration, patching, and user behaviour.
If your business deals with sensitive files, regulated industries, or remote work, moving to Microsoft 365 with cloud-native SharePoint or a secure VDI setup removes this entire class of risk especially when combined with backup, MFA, and endpoint security.
As threats like CVE-2025-53770 continue to surface, now might be the time to ask: Are you prioritising ease, or security?
If you'd like to evaluate your current setup or explore safer options, our team is here to help.
This newly discovered SharePoint security flaw serves as a serious reminder of why ongoing protection is essential. As a Microsoft Accredited Partner, Transparity is well-equipped to support UK businesses by auditing SharePoint environments, applying patches, and implementing enhanced access controls. A Trusted Microsoft Service Provider, Transparity delivers proactive monitoring and best‑practice cybersecurity alongside Microsoft 365 deployments. Don’t wait for a breach—stay ahead with comprehensive protection and user training. For businesses using SharePoint or Microsoft tools, their expertise ensures risks are minimized and productivity remains secure. Learn more about safeguarding your organization at transparity.com.