Critical vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) are currently being exploited in the wild. Disclosed on July 19, 2025, these vulnerabilities have CVSS scores of 9.8 and 7.1 respectively, indicating severe and high risk.
CVE-2025-53770 affects on-premises Microsoft SharePoint Servers, allowing unauthorized attackers to execute code over a network. CVE-2025-53771 affects Microsoft Office SharePoint, allowing authorized attackers to perform spoofing over a network. Microsoft has released emergency patches for the vulnerabilities.
However, users of HAProxy Enterprise WAF were protected automatically.
About the SharePoint vulnerabilities
On July 20, The Washington Posted reported that “unknown attackers exploited a ‘significant vulnerability’ in Microsoft’s SharePoint collaboration software, hitting targets around the world”.
Hackers exploited a major security flaw in widely used Microsoft server software to launch a global attack on government agencies and businesses in the past few days, breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers.
What’s also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched.
“So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.
According to Slashdot:
The vulnerabilities allow hackers to steal private digital keys from SharePoint servers without requiring credentials, enabling them to plant malware and access stored files and data. Eye Security, which first identified the attacks on Saturday, found dozens of actively exploited servers and warned that SharePoint's integration with Outlook, Teams, and OneDrive could enable further network compromise. Researcher Silas Cutler at cybersecurity firm Censys estimated more than 10,000 companies with SharePoint servers were at risk, with the largest concentrations in the United States, Netherlands, United Kingdom, and Canada.
Automatic protection with HAProxy Enterprise WAF
Zero-day attacks targeting previously unknown vulnerabilities are notoriously difficult to protect against. Fortunately, customers using HAProxy Enterprise to load-balance SharePoint services were protected automatically against exploits for these vulnerabilities because of the unique way the HAProxy Enterprise WAF works.
Users do not need to apply special configuration or update WAF rules to enable protection. As long as customers use the HAProxy Enterprise WAF and have Enforcement Mode enabled, their SharePoint services are protected.
The exploits trigger multiple rules in the HAProxy Enterprise WAF, generating a high enough threat score for the WAF to block the requests completely, as shown in the WAF logs available in HAProxy Fusion’s observability suite. HAProxy Fusion Control Plane provides the centralized management, observability, and automation required to manage WAF deployments at scale across multi-cluster and multi-cloud environments.
About the HAProxy Enterprise WAF
How is this automatic protection possible? Short answer: the HAProxy Enterprise WAF is built different.
The incoming NIS2 and DORA regulations in the EU will require affected organizations to use security tools such as a web application firewall (WAF) to protect their assets and infrastructure. A WAF is an essential part of a multi-layered security strategy, and is designed to detect and block malicious requests, such as those exploiting the SharePoint vulnerabilities. However, organizations using a typical WAF would not be able to block this exploit without updating their WAF rules to detect the new attack signature. What’s worse, when this vulnerability was disclosed, there was no existing attack signature.
Traditional WAFs have historically relied on static lists and regex-based attack signatures to identify and block malicious traffic. Unfortunately, these measures are only capable of detecting threats for which a signature already exists. This leaves organizations vulnerable to emerging, polymorphic, or previously unseen attacks — commonly called zero-day attacks.
The next-gen HAProxy Enterprise WAF is powered by our Intelligent WAF Engine. This engine moves beyond the constraints of static signatures by employing a non-signature-based detection system. Its advanced threat detection is powered by threat intelligence data from over 70 billion daily requests on HAProxy Edge, and enhanced by machine learning. Our data science team trains our security models and enables them to reliably detect unfamiliar attacks and anomalous behavior.
This proactive, adaptive protection enables HAProxy Enterprise WAF to identify and block emerging and elusive threats without requiring users to manually create, maintain, or update complex lists of rules. This architectural shift towards a more intelligent and anticipatory security posture offers better protection and improved operational efficiency.
Recently at HAProxyConf 2025, Juraj Ban, Principal Security Architect at Infobip, praised HAProxy Enterprise WAF: “The engine is powerful and fast. We don't have any latency issues any more. We don't have any false positives, and when we set up a new application we don’t need to fine-tune the WAF rules. We don't have complaints from our customers — that is the most important thing!”
HAProxy Technologies was named a Leader in the G2 Summer 2025 Grid® Report for the Web Application Firewall category, with a Satisfaction Score of 94.
Want automatic protection for your applications?
If you’re an HAProxy Enterprise customer, you already have access to HAProxy Enterprise WAF. Follow the instructions to enable the HAProxy Enterprise WAF.
If you’re not yet using HAProxy Enterprise, request a free trial to experience:
Advanced multi-layered security
Unrivalled observability
Powerful suite of add-ons
Authoritative expert support
Infrastructure efficiency and cost saving
The trial includes all features of the full HAProxy Enterprise license with no performance limitations. Our experts will guide you through the trial process, with the option to easily upgrade to the full license with no traffic interruptions at the end of the trial period.
And if you want to learn more about our security solutions in-person, you can visit us at Booth #6028 at BlackHat USA, August 6-7, in Las Vegas.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
