Skip links

Training

2025 TRAINING CALENDAR
WEBINAR CALENDAR 2025
Facebook Twitter Youtube Linkedin

Customer Support +254 115867309

South-End Tech
Published in: Vulnerability

Critical Microsoft SharePoint Zero-Day Exploits-Mitigation Steps and Lessons for Kenya

Author
Published on:

Blog By:
Patrick Meki, Cybersecurity & IT Risk Analyst
South-End Tech Limited

Wednesday, July 23, 2025

Introduction

The cybersecurity community was on high alert recently following the active exploitation of a critical zero-day vulnerability in Microsoft on-premises SharePoint servers. Known as CVE-2025-53770, this vulnerability enabled remote code execution and was used in attacks against more than 75 organisations globally, including government agencies, telecoms, education institutions, and critical infrastructure players.
With SharePoint being deeply embedded in the Microsoft 365 ecosystem, this exploit is not just a bug, but also a major enterprise risk that could compromise entire cloud and hybrid environments.

Why This Matters for Kenya
Microsoft SharePoint is deeply integrated into Kenya’s corporate and public sector IT ecosystems. Compromised servers risk:
     1. Data theft from sensitive government or customer systems
     2. Lateral movement to critical financial/healthcare infrastructure
     3. Reputational damage and regulatory penalties under Kenya’s Data Protection Act.

How the Exploit Works
Attackers bypass authentication and:
     1. Run malicious code on SharePoint servers.
     2. Escalate privileges and move laterally within networks.
     3. Hide using native tools (like PowerShell) evading traditional security scans.
What makes this attack even more dangerous is how the hackers operate once they get in. Instead of using obvious malware or external tools which are easier to detect, they are using tools that are already built into the system, like PowerShell a command-line tool used by system admins.

Mitigation and Response Steps
If your organization runs on-prem SharePoint servers, take the following actions immediately:
     1. Use or upgrade to supported versions of on-premises Microsoft SharePoint Server
          Supported versions are SharePoint Server 2016, 2019 & SharePoint Subscription Edition.
    2. Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly
          Set up AMSI in SharePoint, and if HTTP Request Body scanning is supported, enable Full Mode for maximum protection.
    3. Deploy an Endpoint Security solution.
          Microsoft has recommended users deploy Defender for Endpoint to detect and block-post exploit activity, but my recommendation would be GravityZone Security for Servers, which provides multi-layered protection and much better centralized management than what Defender is offering.
    4. Strengthen Network Segmentation
         Do not allow your SharePoint server to communicate freely across internal networks.
    5. Deploy Behavioral EDR
         Endpoint Detection & Response tools with behavioral detection can spot anomalous execution patterns missed by traditional AV.
    6. Rotate SharePoint Server ASP.NET machine keys
         After applying the latest security updates above or enabling AMSI, it is critical that customers   and restart IIS on all SharePoint servers

Lessons for the Wider Industry
This incident is a reminder that even “trusted” platforms like Microsoft SharePoint must be continuously hardened. Relying on default configurations or delayed patching timelines creates unnecessary exposure. In addition, tools like PowerShell can serve both administrators and attackers and therefore companies must monitor these dual-use technologies closely.

Kenya-Specific Lessons
     1. Patch Proactively, Not Reactively:-Many Kenyan enterprises delay patches due to bandwidth/cost constraints. Prioritize critical updates—this exploit proves delays are catastrophic.
     2. Monitor “Trusted” Tools:-PowerShell is widely used by Kenyan IT teams but equally abused by hackers. Audit all PowerShell activity and enforce execution policies.
     3. Validate Third-Party Hosting:-If using local ISPs for SharePoint hosting, confirm they have applied these mitigations. Shared environments amplify risk.

Conclusion
This exploit is a stark reminder: no platform is inherently “secure,” especially heavily used tools like SharePoint. Kenyan organizations must:
     1. Accelerate patch cycles.
     2. Assume breach—hunt for lateral movement.
     3. Conduct penetration tests on collaboration systems.
Now is the time to review your patching cadence, conduct penetration tests, and re-evaluate internal lateral movement controls. Because in cybersecurity, “The tools you trust the most can become your greatest vulnerability.”

 

Do you need support in assessing your Microsoft stack for zero-day exposure? Talk to South-End Tech.
Tel: +254115867309 | +254740196519

Email: cybersecurity@southendtech.co.ke | info@southendtech.co.ke | dataprotection@southendtech

This website uses cookies to improve your web experience. Privacy Policy