Microsoft Releases Emergency Patch: 0-Day Vulnerabilities in SharePoint Exploited in RCE Attacks

📟 News

Date: 22/07/2025

Critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) have been actively exploited since the end of last week, compromising at least 85 servers worldwide.

In May 2025, researchers from Viettel Cyber Security combined two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, into an RCE attack called ToolShell, which they demonstrated at the Pwn2Own Berlin competition.

Although Microsoft developers patched both ToolShell vulnerabilities in July, attackers managed to bypass the fixes using new exploits. The new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 on the CVSS scale; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 on the CVSS scale; patch bypass for CVE-2025-49706) and are already actively being used to attack on-premises SharePoint servers.

“Microsoft is aware of active attacks targeting on-premises users of SharePoint Server and the exploitation of vulnerabilities partially addressed in the July security updates,” as stated in the Microsoft blog. “These vulnerabilities only affect on-premises SharePoint servers. SharePoint Online in Microsoft 365 is not affected.”

Microsoft has now released update KB5002768 for Microsoft SharePoint Subscription Edition, addressing newly discovered vulnerabilities. However, the company is still working on updates for Microsoft SharePoint 2019 and 2016.

Microsoft advises SharePoint server administrators, who currently have not installed patches or are unable to apply them immediately, to install the latest SharePoint patches, enable AMSI integration in SharePoint, and deploy Defender on all servers. The company claims that enabling these security solutions will prevent the exploitation of vulnerabilities for unauthenticated attacks.

Furthermore, the company recommends replacing SharePoint Server ASP.NET keys after applying updates or enabling AMSI, as this will prevent attackers from executing commands even if a breach has already occurred.

You can check the SharePoint server for compromise using the file C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx. Its presence is an indicator of a breach.

Attacks on 0-day vulnerabilities in Microsoft SharePoint were first identified by the Dutch company Eye Security. Researchers noticed the initial attacks on July 18, 2025, when one of the company’s clients’ EDR reported the launch of a suspicious process related to an uploaded malicious .aspx file. IIS logs showed a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referrer of /_layouts/SignOut.aspx.

During the incident investigation, it was found that the attackers used the ToolShell attack demonstrated at Pwn2Own shortly after CODE WHITE GmbH reproduced the exploit, and cybersecurity specialist Soroush Dalili shared technical details.

In the process of exploiting the vulnerabilities, attackers upload a file named spinstall0.aspx, which is used to steal the MachineKey configuration of the SharePoint server, including the ValidationKey and DecryptionKey.

“By using the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers can extract the ValidationKey directly from memory or configuration,” explain Eye Security experts. “Once this cryptographic material is leaked, an attacker can create fully valid, signed __VIEWSTATE payloads using a tool called ysoserial. With ysoserial, an attacker can generate their own valid SharePoint tokens for RCE.”

 

ViewState is used by ASP.NET (which SharePoint is built upon) to maintain the state of web controls between requests. However, if the ViewState protection is improperly configured or the server’s ValidationKey is compromised, attackers can forge the contents of the ViewState and inject malicious code that will execute on the server during deserialization.

Experts from Eye Security informed the publication Bleeping Computer that they scanned the internet for hacked servers and discovered at least 54 organizations that have already been affected by the attacks.

“Although more than 85 compromised SharePoint servers have been identified worldwide, we were able to cluster them together and determine which specific organizations were affected,” the researchers say.

According to Eye Security, among the 54 targeted organizations are: a private university in the state of California, a commercial energy company in the state of California, a government healthcare organization, a commercial AI technology development company, a commercial fintech company in the state of New York, and a government organization in the state of Florida.

Specialists from Google Threat Intelligence Group (TAG) also warn about the exploitation of the vulnerabilities:

“The Google Threat Intelligence Group has discovered that attackers are exploiting vulnerabilities to install web shells and steal cryptographic secrets from victims’ servers. This provides persistent unauthorized access and poses a significant risk to the affected organizations,” reported TAG specialists.

Related posts:
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →