As widely reported in the security community, a critical Microsoft SharePoint zero-day vulnerability (CVE-2025-53770) is being actively exploited as of July 2025. Organizations using on-prem SharePoint servers are at risk.

To help defend against this threat, SentinelOne has published a detailed analysis, including observed attack techniques and recommended mitigation steps.

Available Platform Detections

SentinelOne Threat Hunting and MDR teams have released the following detection rules:

• Web Shell Creation in LAYOUTS Directory
• Web Shell File Detected in LAYOUTS Directory
• Suspicious Process Spawned by SharePoint IIS Worker Process

*Important Note: Manual activation is required for these detections.

Please review your environment for indicators of compromise and follow your incident response procedures.

To further enhance your security, we advise updating all EDR agents to the latest version. Utilising the auto-upgrade functionality can ensure smooth and timely updates. For more details, please refer to our updated documentation.