SharePoint Servers Under Siege as Dual Zero‑Days Fuel Ransomware Surge

A rapidly escalating wave of cyberattacks is targeting unpatched on‑premises SharePoint servers worldwide, exploiting two newly discovered critical vulnerabilities—CVE‑2025‑53770 (CVSS 9.8) and CVE‑2025‑47981. Security analysts at Recast Software warn that initial espionage‑driven campaigns have evolved into aggressive ransomware operations, and the U.S. federal government is among those affected.

Microsoft and CISA confirm that CVE‑2025‑53770 allows unauthenticated attackers to execute code on any exposed SharePoint server. Exploitation began on July 7, and at least 75 servers have been compromised so far. Multiple China‑linked threat groups are using the access to pivot deeper into networks and monetize intrusions. While SharePoint Online remains unaffected, any on‑premises deployments that have not received the full July security patch cycle are considered vulnerable.

A second flaw, CVE‑2025‑47981, compounds the risk. The vulnerability resides in the Windows SPNEGO negotiation process and is described as wormable, making it a highly effective pathway for lateral movement once attackers establish a foothold. “Urgent patching is non‑negotiable,” several threat intelligence teams noted, warning that unpatched endpoints could rapidly amplify the impact of a single SharePoint breach.

Automation Tools to Close the Gap

To help IT teams move quickly, engineers at Right Click Tools Builder have released two free automation templates designed to detect and remediate the vulnerabilities at scale. The CVE‑2025‑47981 Finder template identifies Windows devices exposed to the SPNEGO flaw and feeds them into a ConfigMgr collection for accelerated patching. Meanwhile, the CVE‑2025‑53770 Remediator template audits SharePoint servers, applies available patches and hotfixes, rotates encryption keys, and enforces Microsoft’s latest hardening recommendations.

“This is about cutting response times from hours to minutes,” said Scott Erickson, who led development of the templates. “The automation gives admins a single dashboard view across ConfigMgr and Intune while eliminating the need for dozens of manual queries and PowerShell checks.”

The templates can be imported directly from the project’s public GitHub repository. After a pilot run, organizations can push fixes organization‑wide and monitor results in real time through existing dashboards. The tools also integrate optional email and Teams alerts for faster escalation.

Beyond the Immediate Crisis

While these templates are focused on the current SharePoint crisis, Right Click Tools Builder’s framework is designed for broader use cases, from patch verification to baseline drift analysis. The team has committed to releasing additional templates weekly as the security community contributes.

Given the active exploitation of both vulnerabilities, experts emphasize that patching and network hardening should be treated as a top‑tier priority. “This is not just another SharePoint bug,” said the analysts who built and scoped the templates. “We are seeing real ransomware campaigns leveraging these flaws right now. Admins need to act as though attackers are already inside the network.”