Critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) have been actively exploited since the end of last week, compromising at least 85 servers worldwide.
In May 2025, researchers from Viettel Cyber Security combined two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, into an RCE attack called ToolShell, which they demonstrated at the Pwn2Own Berlin competition.
Although Microsoft developers patched both ToolShell vulnerabilities in July, attackers managed to bypass the fixes using new exploits. The new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 on the CVSS scale; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 on the CVSS scale; patch bypass for CVE-2025-49706) and are already actively being used to attack on-premises SharePoint servers.
“Microsoft is aware of active attacks targeting on-premises users of SharePoint Server and the exploitation of vulnerabilities partially addressed in the July security updates,” as stated in the Microsoft blog. “These vulnerabilities only affect on-premises SharePoint servers. SharePoint Online in Microsoft 365 is not affected.”
Microsoft has now released update KB5002768 for Microsoft SharePoint Subscription Edition, addressing newly discovered vulnerabilities. However, the company is still working on updates for Microsoft SharePoint 2019 and 2016.
Microsoft advises SharePoint server administrators, who currently have not installed patches or are unable to apply them immediately, to install the latest SharePoint patches, enable AMSI integration in SharePoint, and deploy Defender on all servers. The company claims that enabling these security solutions will prevent the exploitation of vulnerabilities for unauthenticated attacks.
Furthermore, the company recommends replacing SharePoint Server ASP.NET keys after applying updates or enabling AMSI, as this will prevent attackers from executing commands even if a breach has already occurred.
You can check the SharePoint server for compromise using the file C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx. Its presence is an indicator of a breach.
Attacks on 0-day vulnerabilities in Microsoft SharePoint were first identified by the Dutch company Eye Security. Researchers noticed the initial attacks on July 18, 2025, when one of the company’s clients’ EDR reported the launch of a suspicious process related to an uploaded malicious .aspx file. IIS logs showed a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referrer of /_layouts/SignOut.aspx.
During the incident investigation, it was found that the attackers used the ToolShell attack demonstrated at Pwn2Own shortly after CODE WHITE GmbH reproduced the exploit, and cybersecurity specialist Soroush Dalili shared technical details.
In the process of exploiting the vulnerabilities, attackers upload a file named spinstall0.aspx, which is used to steal the MachineKey configuration of the SharePoint server, including the ValidationKey and DecryptionKey.
“By using the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers can extract the ValidationKey directly from memory or configuration,” explain Eye Security experts. “Once this cryptographic material is leaked, an attacker can create fully valid, signed __VIEWSTATE payloads using a tool called ysoserial. With ysoserial, an attacker can generate their own valid SharePoint tokens for RCE.”
Â
ViewState is used by ASP.NET (which SharePoint is built upon) to maintain the state of web controls between requests. However, if the ViewState protection is improperly configured or the server’s ValidationKey is compromised, attackers can forge the contents of the ViewState and inject malicious code that will execute on the server during deserialization.
Experts from Eye Security informed the publication Bleeping Computer that they scanned the internet for hacked servers and discovered at least 54 organizations that have already been affected by the attacks.
“Although more than 85 compromised SharePoint servers have been identified worldwide, we were able to cluster them together and determine which specific organizations were affected,” the researchers say.
According to Eye Security, among the 54 targeted organizations are: a private university in the state of California, a commercial energy company in the state of California, a government healthcare organization, a commercial AI technology development company, a commercial fintech company in the state of New York, and a government organization in the state of Florida.
Specialists from Google Threat Intelligence Group (TAG) also warn about the exploitation of the vulnerabilities:
“The Google Threat Intelligence Group has discovered that attackers are exploiting vulnerabilities to install web shells and steal cryptographic secrets from victims’ servers. This provides persistent unauthorized access and poses a significant risk to the affected organizations,” reported TAG specialists.
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →