Critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) have been actively exploited since the end of last week, compromising at least 85 servers worldwide.
In May 2025, researchers from Viettel Cyber Security combined two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, into an RCE attack called ToolShell, which they demonstrated at the Pwn2Own Berlin competition.
Although Microsoft developers patched both ToolShell vulnerabilities in July, attackers managed to bypass the fixes using new exploits. The new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 on the CVSS scale; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 on the CVSS scale; patch bypass for CVE-2025-49706) and are already actively being used to attack on-premises SharePoint servers.
“Microsoft is aware of active attacks targeting on-premises users of SharePoint Server and the exploitation of vulnerabilities partially addressed in the July security updates,” as stated in the Microsoft blog. “These vulnerabilities only affect on-premises SharePoint servers. SharePoint Online in Microsoft 365 is not affected.”
Microsoft has now released update KB5002768 for Microsoft SharePoint Subscription Edition, addressing newly discovered vulnerabilities. However, the company is still working on updates for Microsoft SharePoint 2019 and 2016.
Microsoft advises SharePoint server administrators, who currently have not installed patches or are unable to apply them immediately, to install the latest SharePoint patches, enable AMSI integration in SharePoint, and deploy Defender on all servers. The company claims that enabling these security solutions will prevent the exploitation of vulnerabilities for unauthenticated attacks.
Furthermore, the company recommends replacing SharePoint Server ASP.NET keys after applying updates or enabling AMSI, as this will prevent attackers from executing commands even if a breach has already occurred.
You can check the SharePoint server for compromise using the file C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx. Its presence is an indicator of a breach.
Attacks on 0-day vulnerabilities in Microsoft SharePoint were first identified by the Dutch company Eye Security. Researchers noticed the initial attacks on July 18, 2025, when one of the company’s clients’ EDR reported the launch of a suspicious process related to an uploaded malicious .aspx file. IIS logs showed a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referrer of /_layouts/SignOut.aspx.
During the incident investigation, it was found that the attackers used the ToolShell attack demonstrated at Pwn2Own shortly after CODE WHITE GmbH reproduced the exploit, and cybersecurity specialist Soroush Dalili shared technical details.
In the process of exploiting the vulnerabilities, attackers upload a file named spinstall0.aspx, which is used to steal the MachineKey configuration of the SharePoint server, including the ValidationKey and DecryptionKey.
“By using the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers can extract the ValidationKey directly from memory or configuration,” explain Eye Security experts. “Once this cryptographic material is leaked, an attacker can create fully valid, signed __VIEWSTATE payloads using a tool called ysoserial. With ysoserial, an attacker can generate their own valid SharePoint tokens for RCE.”
ViewState is used by ASP.NET (which SharePoint is built upon) to maintain the state of web controls between requests. However, if the ViewState protection is improperly configured or the server’s ValidationKey is compromised, attackers can forge the contents of the ViewState and inject malicious code that will execute on the server during deserialization.
Experts from Eye Security informed the publication Bleeping Computer that they scanned the internet for hacked servers and discovered at least 54 organizations that have already been affected by the attacks.
“Although more than 85 compromised SharePoint servers have been identified worldwide, we were able to cluster them together and determine which specific organizations were affected,” the researchers say.
According to Eye Security, among the 54 targeted organizations are: a private university in the state of California, a commercial energy company in the state of California, a government healthcare organization, a commercial AI technology development company, a commercial fintech company in the state of New York, and a government organization in the state of Florida.
Specialists from Google Threat Intelligence Group (TAG) also warn about the exploitation of the vulnerabilities:
“The Google Threat Intelligence Group has discovered that attackers are exploiting vulnerabilities to install web shells and steal cryptographic secrets from victims’ servers. This provides persistent unauthorized access and poses a significant risk to the affected organizations,” reported TAG specialists.