Critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) have been actively exploited since the end of last week, compromising at least 85 servers worldwide.
In May 2025, researchers from Viettel Cyber Security combined two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, into an RCE attack called ToolShell, which they demonstrated at the Pwn2Own Berlin competition.
Although Microsoft developers patched both ToolShell vulnerabilities in July, attackers managed to bypass the fixes using new exploits. The new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 on the CVSS scale; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 on the CVSS scale; patch bypass for CVE-2025-49706) and are already actively being used to attack on-premises SharePoint servers.
“Microsoft is aware of active attacks targeting on-premises users of SharePoint Server and the exploitation of vulnerabilities partially addressed in the July security updates,” as stated in the Microsoft blog. “These vulnerabilities only affect on-premises SharePoint servers. SharePoint Online in Microsoft 365 is not affected.”
Microsoft has now released update KB5002768 for Microsoft SharePoint Subscription Edition, addressing newly discovered vulnerabilities. However, the company is still working on updates for Microsoft SharePoint 2019 and 2016.
Microsoft advises SharePoint server administrators, who currently have not installed patches or are unable to apply them immediately, to install the latest SharePoint patches, enable AMSI integration in SharePoint, and deploy Defender on all servers. The company claims that enabling these security solutions will prevent the exploitation of vulnerabilities for unauthenticated attacks.
Furthermore, the company recommends replacing SharePoint Server ASP.NET keys after applying updates or enabling AMSI, as this will prevent attackers from executing commands even if a breach has already occurred.
You can check the SharePoint server for compromise using the file C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx. Its presence is an indicator of a breach.
Attacks on 0-day vulnerabilities in Microsoft SharePoint were first identified by the Dutch company Eye Security. Researchers noticed the initial attacks on July 18, 2025, when one of the company’s clients’ EDR reported the launch of a suspicious process related to an uploaded malicious .aspx file. IIS logs showed a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referrer of /_layouts/SignOut.aspx.
During the incident investigation, it was found that the attackers used the ToolShell attack demonstrated at Pwn2Own shortly after CODE WHITE GmbH reproduced the exploit, and cybersecurity specialist Soroush Dalili shared technical details.
In the process of exploiting the vulnerabilities, attackers upload a file named spinstall0.aspx, which is used to steal the MachineKey configuration of the SharePoint server, including the ValidationKey and DecryptionKey.
“By using the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers can extract the ValidationKey directly from memory or configuration,” explain Eye Security experts. “Once this cryptographic material is leaked, an attacker can create fully valid, signed __VIEWSTATE payloads using a tool called ysoserial. With ysoserial, an attacker can generate their own valid SharePoint tokens for RCE.”
Â
ViewState is used by ASP.NET (which SharePoint is built upon) to maintain the state of web controls between requests. However, if the ViewState protection is improperly configured or the server’s ValidationKey is compromised, attackers can forge the contents of the ViewState and inject malicious code that will execute on the server during deserialization.
Experts from Eye Security informed the publication Bleeping Computer that they scanned the internet for hacked servers and discovered at least 54 organizations that have already been affected by the attacks.
“Although more than 85 compromised SharePoint servers have been identified worldwide, we were able to cluster them together and determine which specific organizations were affected,” the researchers say.
According to Eye Security, among the 54 targeted organizations are: a private university in the state of California, a commercial energy company in the state of California, a government healthcare organization, a commercial AI technology development company, a commercial fintech company in the state of New York, and a government organization in the state of Florida.
Specialists from Google Threat Intelligence Group (TAG) also warn about the exploitation of the vulnerabilities:
“The Google Threat Intelligence Group has discovered that attackers are exploiting vulnerabilities to install web shells and steal cryptographic secrets from victims’ servers. This provides persistent unauthorized access and poses a significant risk to the affected organizations,” reported TAG specialists.
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →