SharePoint Server: Path traversal vulnerability in Microsoft SharePoint allowing network spoofing (CVE-2025-53771) #shorts

Summary

In today’s episode, we break down CVE-2025-53771, a critical path traversal vulnerability in Microsoft SharePoint actively exploited in the wild. Microsoft released an urgent patch on July 20, 2025, alongside CVE-2025-53770, after Talos Intelligence flagged ongoing attacks. Administrators running vulnerable SharePoint versions need to update immediately to prevent spoofing and data exposure.

Product details

CVE-2025-53771 impacts Microsoft SharePoint Enterprise Server 2016 prior to build 16.0.5513.1001, SharePoint Server 2019 before build 16.0.10417.20037, and SharePoint Server Subscription Edition before build 16.0.18526.20508. All affected versions allow authenticated users to manipulate file paths on the server. Microsoft’s security advisory covers both on-premises and hybrid deployments.

Vulnerability type summary

This issue involves improper limitation of a pathname to a restricted directory (CWE-22), coupled with inadequate input validation (CWE-20) and neutralization (CWE-707). Attackers exploit path traversal to traverse directories and spoof content, potentially tricking users or services into processing malicious files.

Details of the vulnerability

An authorized attacker with minimal privileges can craft specially formed requests to traverse outside the designated SharePoint directories. By exploiting insufficient input validation, they can upload or reference files in locations used for rendering pages or feeds. Talos Intelligence reports active exploitation campaigns targeting SharePoint servers, where attackers embed malicious payloads or phishing content to compromise credentials and propagate further.

Conclusion

If you manage any affected SharePoint environment, apply Microsoft’s July 2025 security updates immediately. Monitor your logs for unusual file‐access patterns and implement additional path validation controls where possible. Stay tuned for follow-up guidance on detecting and mitigating similar server-side vulnerabilities.

Watch the full video on YouTube: CVE-2025-53771

Remediation and exploitation details

This chain involves the following actors

  • Authorized attacker: Insider threat with valid credentials
  • SharePoint administrator: Responsible for system maintenance and patch deployment

This following systems are involved

  • Microsoft SharePoint Enterprise Server 2016 (<16.0.5513.1001) (On-premises collaboration and content management): Primary target for exploitation
  • Microsoft SharePoint Server 2019 (<16.0.10417.20037) (Enterprise document sharing platform): Primary target for exploitation
  • Microsoft SharePoint Server Subscription Edition (<16.0.18526.20508) (Subscription-based collaboration service): Primary target for exploitation

Attack entry point

  • File retrieval API endpoint: Handles requests for downloading files based on a path parameter; lacks proper normalization to prevent directory traversal

Remediation actions

SharePoint administrator
Apply the July 2025 cumulative security update released by Microsoft
All affected SharePoint Server versions
SharePoint administrator
Restrict access to the file retrieval endpoint to trusted hosts and enforce server-side path validation
File retrieval API endpoint

Exploitation actions

Session establishment

Authorized attacker
Authenticate to the SharePoint site using valid user credentials to establish a session
Microsoft SharePoint Enterprise Server 2016 (<16.0.5513.1001)
Examples:
  • curl -u user@example.com:Password123 https://sharepoint.internal/_api/web

Path traversal

Authorized attacker
Craft a path traversal payload by inserting “../” sequences into the file path parameter
Microsoft SharePoint Enterprise Server 2016 (<16.0.5513.1001)
Examples:
  • GET /_layouts/15/download.aspx?Path=../../../../web.config HTTP/1.1

Path traversal

Authorized attacker
Send the malicious request to the file retrieval API to bypass directory restrictions and retrieve sensitive files
Microsoft SharePoint Server 2019 (<16.0.10417.20037)
Examples:
  • python exploit.py --url https://sharepoint.corp --payload "../../../../_app_bin/ConfigFile.xml"

Information disclosure

Authorized attacker
Analyze the retrieved configuration data to extract network host names and internal address schemes
Microsoft SharePoint Server Subscription Edition (<16.0.18526.20508)
Examples:
  • Extract host entries from ConfigFile.xml to identify domain controllers

Network spoofing

Authorized attacker
Use the exposed network information to conduct man in the middle interception or DNS spoofing on internal requests
Microsoft SharePoint Enterprise Server 2016 (<16.0.5513.1001)
Examples:
  • arpspoof -i eth0 -t 10.0.0.5 10.0.0.1

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-53771
Description
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Provider
microsoft
CWE / problem types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),CWE-707: Improper Neutralization,CWE-20: Improper Input Validation
Affected Software Versions
Microsoft:Microsoft SharePoint Enterprise Server 2016:[{'version': '16.0.0', 'lessThan': '16.0.5513.1001', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Microsoft SharePoint Server 2019:[{'version': '16.0.0', 'lessThan': '16.0.10417.20037', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Microsoft SharePoint Server Subscription Edition:[{'version': '16.0.0', 'lessThan': '16.0.18526.20508', 'versionType': 'custom', 'status': 'affected'}]
Date Published
2025-07-20T22:16:52.203Z
Last Updated
2025-07-21T23:25:20.584Z