Vulnerability in SharePoint 2019/SharePoint 2016 – CVE-2025-53770

If you are using Microsoft Identity Manager 2016 (MIM), including the Portal and SharePoint, this is important:

A critical vulnerability (CVE-2025-53770) affecting SharePoint 2016 and 2019 is currently being actively exploited. Microsoft has published official guidance here.

Required Actions (based on your SharePoint version):

1. Install the SharePoint July 2025 update
   • SP2019 Update
   • SP2016 Update
2. Install the security update for CVE-2025-53770
   • SP2019
   • SP2016
3. Configure AMSI (Antimalware Scan Interface) integration in SharePoint.
   Note: If AMSI is not supported in your version of SharePoint, you must apply the patches and proceed with step 5.
4. Enable Microsoft Defender for Endpoint integration
   Note: This requires a paid subscription in your Azure tenant. If this is not available, ensure patches are applied and continue with step 5.
5. Rotate the ASP.NET machine keys for your SharePoint web application
   • This step must be done after installing the patches
   • Run an IIS reset on all SharePoint servers after the machine key update
   • The web application for the MIM Portal is usually named ‘MIM Portal’ – confirm this in SharePoint Central Admin
   • Use this PowerShell command (run as a Farm Admin account, e.g a ‘MIM Installer’ account):Update-SPMachineKey -WebApplication “MIM Portal

Contact us if you would like help implementing these changes or would like to explore options to operate MIM, including workflow and portal functionality, without SharePoint – using a custom Oxford Computer Group solution.