Critical SharePoint Vulnerability Under Active Attack
Microsoft SharePoint Server users are facing an urgent cybersecurity threat as a new zero-day vulnerability, identified as CVE-2025-53770, is being actively exploited in the wild. This critical remote code execution (RCE) flaw allows unauthorized attackers to gain full control over on-premises SharePoint servers, posing a significant risk to organizations worldwide. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert, confirming active exploitation and adding CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025, urging immediate action. (Source: CISA)
Understanding the Vulnerability and Its Exploitation
CVE-2025-53770 is a variant of a previously addressed vulnerability, CVE-2025-49704, which was part of Microsoft’s July 2025 Patch Tuesday updates. The flaw stems from SharePoint’s deserialization of untrusted data, enabling unauthenticated remote code execution without user interaction. This means attackers can execute commands even before authentication, making it a highly dangerous vulnerability. (Source: The Hacker News)
The exploitation activity, publicly referred to as “ToolShell,” has been observed since at least July 18, 2025. Dutch security firm Eye Security reported detecting a stealthy spinstall0.aspx file on compromised systems. This file’s primary purpose is to extract cryptographic secrets, specifically the ValidationKey and DecryptionKey, from the SharePoint server’s MachineKey configuration. Gaining access to these keys allows attackers to forge valid __VIEWSTATE payloads, effectively turning any authenticated SharePoint request into an RCE opportunity and enabling persistence and lateral movement within the network. (Source: Help Net Security)
As of July 20, 2025, Eye Security identified over 85 SharePoint servers belonging to 29 organizations, including multinational firms and government entities, compromised with this malicious web shell. The Dutch Institute for Vulnerability Disclosure has also identified additional victim organizations. (Source: The Hacker News)
Affected Versions and Patch Status
The vulnerabilities affect on-premises versions of Microsoft SharePoint Server, specifically SharePoint Server Subscription Edition, SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. It is crucial to note that SharePoint Online in Microsoft 365 is not impacted by these vulnerabilities. (Source: Microsoft Security Response Center)
Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition (KB5002768) and SharePoint 2019 (KB5002754) against CVE-2025-53770 and a newly discovered related flaw, CVE-2025-53771. These updates are available for download. However, as of July 20, 2025, security updates for SharePoint Server 2016 are not yet available. (Source: Microsoft Security Response Center), (Source: Microsoft Download Center)
Immediate Mitigations and Recommendations
Given the active exploitation, Microsoft and CISA strongly recommend the following actions for all organizations running on-premises SharePoint servers:
- Apply Security Updates: Immediately apply the latest security updates for SharePoint Subscription Edition and SharePoint 2019.
- Configure AMSI and Deploy Defender AV: Ensure Antimalware Scan Interface (AMSI) integration is turned on and correctly configured in SharePoint, and deploy Microsoft Defender Antivirus on all SharePoint servers. AMSI integration is enabled by default in September 2023 security updates for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
- Disconnect from Internet (if AMSI not possible): If AMSI cannot be enabled, disconnect affected public-facing SharePoint products from the internet until official mitigations are available.
- Deploy Microsoft Defender for Endpoint: Implement Microsoft Defender for Endpoint or equivalent threat solutions to detect and block post-exploit activity.
- Rotate SharePoint Server ASP.NET Machine Keys: After applying security updates or enabling AMSI, it is critical to rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. This step is crucial because stolen keys allow attackers to maintain persistence even after patching.
- Monitor for Indicators of Compromise (IoCs): Monitor for POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit. Conduct scanning for suspicious IPs: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, especially for activity between July 18-19, 2025. - Enhance Network Defenses: Update intrusion prevention system (IPS) and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior.
- Implement Comprehensive Logging: Ensure comprehensive logging is in place to identify exploitation activity.
- Audit Privileges: Audit and minimize layout and administrative privileges.
- Report Incidents: Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.
CISA has directed all U.S. federal civilian executive branch (FCEB) agencies to identify potentially affected systems and apply mitigations by July 21, 2025, underscoring the severity and urgency of this threat. (Source: CISA)
Organizations are strongly advised to review all relevant Microsoft articles and security updates published on July 8, 2025, and subsequent guidance to ensure their SharePoint environments are adequately protected.
