Microsoft SharePoint hack: CERT-In flags ongoing threat, follow these steps to secure your systems | Technology News

SharePoint is a web-based collaboration and document management platform developed by Microsoft. It allows organisations to create, manage, and share content and applications in a centralised environment.

All end-user organisations and individuals using affected Microsoft SharePoint Server installations are at risk of unauthorised access to sensitive data, remote code execution, and potential disruption of services, the Indian cybersecurity watchdog said.

“A remote attacker could exploit these vulnerabilities by sending specially crafted requests to the targeted system. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access sensitive data, or perform spoofing attacks on the targeted system,” CERT-In said, adding that the vulnerabilities are being actively exploited in the wild.

CERT-In has published Vulnerability note on its website (22-07-2025)

Multiple vulnerabilities in Microsoft SharePoint Serverhttps://t.co/4F7p2vqbNW pic.twitter.com/4P0DmhHkCK

— CERT-In (@IndianCERT) July 22, 2025

https://platform.twitter.com/widgets.js

The warning comes a day after researchers on Monday, July 21, uncovered a sweeping cyber espionage operation targeting Microsoft server software that has resulted in at least 100 organisations being compromised, according to a report by Reuters.

Most of the affected organisations are located in the United States and Germany, as per the Shadowserver Foundation, a California-based non-profit cybersecurity organisation. Microsoft issued an alert on Saturday, July 19, about “active attacks” on self-hosted SharePoint servers. However, SharePoint instances run off of Microsoft servers were unaffected.

“Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution,” Satnam Narang, Senior Staff Research Engineer at cybersecurity firm Tenable, said in a statement.

It is not clear who is behind the ongoing ‘zero-day’ attack, which is a hack that is carried out by exploiting a vulnerability that was previously undisclosed. However, Google researchers have tied at least some of the instances to a “China-nexus threat actor.”

In response, Microsoft has rolled out security updates and CERT-In, in its advisory, encouraged customers to install them in order to address the vulnerabilities. According to Narang, organisations can find out if their systems have been compromised in the SharePoint hack by keeping an eye out for indicators such as “a file created on the vulnerable servers called spinstall0.aspx.”

In addition to applying the security updates, CERT-In suggested the following mitigation measures for those organisations that have been affected by the hack:

– Rotate the ASP.NET MachineKey values (ValidationKey and DecryptionKey) after applying the updates to invalidate any
compromised credentials.
– Enable AMSI (Antimalware Scan Interface) integration in SharePoint to enhance detection of malicious activity.
– Deploy Microsoft Defender Antivirus or a compatible endpoint protection solution with updated signatures.
– Scan SharePoint directories (e.g., LAYOUTS folder) for unauthorized ASPX files such as spinstall0.aspx.
– Monitor systems for suspicious process activity such as w3wp.exe spawning cmd.exe or powershell.exe.
– Restrict external access to on-premises SharePoint servers where feasible until patched.