Microsoft SharePoint zero-day exploited in remote code execution attacks around the world.

IT shaken by the discovery and exploitation of a critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770. Categorized as a remote code execution (RCE) flaw, this vulnerability is currently being exploited on a large scale, allowing attackers to take complete control of exposed on-premises SharePoint servers. As government agencies, educational institutions, energy sector, and major enterprises scramble to secure their infrastructure, understanding the mechanics, impact, and mitigations for this attack has become paramount.

Vulnerability Overview

CVE-2025-53770 is a deserialization of untrusted data vulnerability (CWE-502) present in on-premises versions of Microsoft SharePoint Server (2016, 2019, and Subscription Edition). The flaw allows an unauthenticated remote attacker to craft specially designed payloads that, when processed by the victim server, enable arbitrary code execution with the privileges of the SharePoint service.

Key Attributes

• CVE: 2025-53770
• Severity: 9.8 (Critical)
• Attack Vector: Network (remote exploitation, no authentication required)
• Type: Deserialization of untrusted data (CWE-502)
• Affected Products: Only on-premises SharePoint Server 2016, 2019, and Subscription Edition. SharePoint Online (Microsoft 365 cloud) is unaffected.
• Status: Actively exploited in the wild as of July 18, 2025.

Technical Exploitation Details

Root Cause

The vulnerability lies in how SharePoint deserializes certain objects provided in HTTP POST requests to the /_layouts/15/ToolPane.aspx endpoint. Attackers discovered that manipulating the HTTP Referer header (e.g., setting it to /_layouts/SignOut.aspx) could bypass authentication protections – a behavior reminiscent of the previously patched CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (code injection).

Exploit Chain (“ToolShell”)

1. Initial Access: Attackers send crafted requests to exposed SharePoint servers, setting the HTTP Referer and leveraging deserialization flaws in the ToolPane logic.
2. Implant Deployment: A malicious, non-interactive .aspx file (e.g., spinstall0.aspx) is dropped into SharePoint’s layouts directory. This implant’s sole purpose is to extract sensitive cryptographic secrets—it does not provide a typical web shell or command interface.
3. Crypto Key Extraction: The implant invokes internal .NET methods to steal the server’s ValidationKey and DecryptionKey. These keys are essential for generating and signing legitimate __VIEWSTATE objects, which are core to SharePoint and ASP.NET session handling.
4. Subsequent RCE: With these keys, adversaries can forge __VIEWSTATE payloads that allow any authenticated (and some unauthenticated) requests to result in execution of attacker-controlled code – even after the server is patched unless keys are rotated.
5. Post-Exploitation: Attackers gain full file system access, extract data, harvest credentials, move laterally within the network, and establish persistence that survives patching unless cryptographic keys are rotated and all secrets are reset.

Notable Observations

• No User Interaction Needed: The attack chain is fully automated and requires no user interaction or social engineering.
• Authenticated Token Forgery: By extracting cryptographic material, adversaries can produce valid tokens for further attacks, turning every authenticated request into a potential exploit vector.
• Stealthiness: Unlike typical web shells, the implants focus only on persistence and secret theft, making detection more challenging.

Related Exploits and Variants

• CVE-2025-53770 is considered a variant or bypass for earlier vulnerabilities patched in Microsoft’s July 2025 update, specifically designed to circumvent fixes for ToolShell-related bugs.
• Researchers note links between exploitation activity and prior demonstration of “ToolShell” at the Berlin Pwn2Own contest, which showcased a similar exploit chain combining authentication bypass and code injection.

Attacks, Impact, and Victimology

• Detected Worldwide: Eye Security and other cybersecurity teams detected numerous compromise waves, with over 85 SharePoint servers confirmed breached across 29+ organizations by July 21, 2025.
• Victim Sectors: The affected organizations span government, energy, education, and multinational business sectors. US federal and state agencies are among those breached.
• Attackers’ Capabilities: Once inside, adversaries commonly:
  • Extract all document libraries
  • Plant persistent backdoors
  • Exfiltrate credentials and secrets tied to SharePoint, Exchange, Teams, and more
  • Move laterally across Windows domain and cloud-connected systems
• Active Exploit Waves: Two major waves (July 18 and 19, 2025) have been traced to internet-facing, unpatched SharePoint systems.

Detection and Indicators of Compromise (IOCs)

Technical Indicators

• Suspicious Child Processes: Look for PowerShell or cmd.exe processes spawned by w3wp.exe (the IIS worker for SharePoint).
• File System Changes: Unexpected .aspx files (esp. spinstall0.aspx) within SharePoint layouts directories.
• Unusual Network Activity: Monitoring for POST requests to /_layouts/15/ToolPane.aspx with anomalous referer headers (esp. /_layouts/SignOut.aspx).
• Possible Web Shells: Even if no web shell is present, artifacts of process injection or cryptographic key extraction are red flags.

Threat Hunting Queries

Sample Kusto/Log queries for defenders:

text// Network-based detections (large, unusual POST requests)
DeviceEvents
| where RemoteUrl contains "sharepoint"
| where RequestMethod in ("POST","PUT")
| where ResponseSize > 1000000

// Unusual process spawns
DeviceProcessEvents
| where InitiatingProcessName == "w3wp.exe"
| where FileName in ("cmd.exe", "powershell.exe")
| project DeviceName, FileName, InitiatingProcessCommandLine

// File system monitoring
FileEvents
| where FolderPath contains "SharePoint"
| where FileName endswith ".aspx"
| project DeviceName, FileName, FolderPath

Adapt to your SIEM/EPP as appropriate.

Threat Actor Attribution

While attribution is ongoing, historic campaigns involving SharePoint RCE have been linked to APT groups such as Silk Typhoon (aka HAFNIUM), Storm-0506, and various ransomware operators targeting enterprise collaboration platforms.

Response and Mitigation

Microsoft and Government Guidance

• Patch: Immediate deployment of Microsoft’s emergency security updates is crucial. As of July 21, 2025, patches are available for SharePoint 2019 and Subscription Edition. Updates for 2016 remain pending.
• Mitigations: Where patching is not possible:
  • Enable Antimalware Scan Interface (AMSI): Provides deep script inspection and detection.
  • Deploy Microsoft Defender Antivirus & Defender for Endpoint: For real-time protection, as well as detecting web shell and exploitation signals.
  • Disconnect Vulnerable Servers: Sever internet access for SharePoint servers that cannot be immediately patched or secured.
• Key Rotation: After patching, rotate all ASP.NET machine keys (ValidationKey, DecryptionKey). Patching alone will not invalidate attacker persistence if secrets have been stolen.
• Incident Investigation: If spinstall0.aspx or similar indicators are found, immediately isolate and image affected systems, rotate all credentials/secrets, and conduct thorough compromise assessments.
• Professional Response: Engage specialist incident response teams for analysis, containment, and remediation—especially if core service integrations (Exchange, Teams, OneDrive) may have been impacted.