Microsoft is releasing out-of-band security updates for SharePoint Server 2019 and SharePoint Server Subscription Edition, following a warning that vulnerable versions were now under attack.
If AMSI can’t be enabled, Microsoft’s advice is blunt: “We recommend you consider disconnecting your server from the internet until a security update is available
The fixes are related to CVE-2025-53770, a remote code execution vulnerability, and CVE-2025-53771, a path traversal vulnerability.
Microsoft has advised administrators of on-premises SharePoint Server 2019 and SharePoint Server Subscription Edition to apply the fixes immediately. SharePoint Server 2016 is also affected, but has yet to receive its fixes. At the time of writing, Microsoft said it was “actively working on updates.”
The company has not elaborated on why the security patches issued earlier in July only “partially addressed” the issues. As previously reported, SharePoint Online is not affected. It appears that attackers were able to bypass Microsoft’s July fix, resulting in the discovery of two new zero-day vulnerabilities.
As well as instructing administrators to ensure their servers are up to date and patched, Microsoft has also said that the Antimalware Scan Interface (AMSI) integration in SharePoint should be set to Full Mode and that admins should deploy Defender Antivirus to all SharePoint Servers to “stop unauthenticated attackers from exploiting this vulnerability.”
AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016 / 2019, as well as the 23H2 update for SharePoint Server Subscription Edition.
- Remember it’ll cost ya to keep the lights on for Windows 10
- Microsoft patches failed to fix on-prem SharePoint, which is now under zero-day attack
- Microsoft offers EU cloud providers fresh commercial terms, staves off risk of litigation
- Microsoft’s on-prem Exchange and Skype for Business Server go subscription-only
However, if AMSI can’t be enabled, Microsoft’s advice is blunt: “W