Critical SharePoint Zero-Day Under Active Attack: CVE-2025-53770 Threatens Organizations Worldwide

Microsoft SharePoint servers are under siege from a critical zero-day vulnerability that has already compromised over 85 servers across 29 organizations globally. The flaw, designated CVE-2025-53770 with a devastating CVSS score of 9.8, represents one of the most dangerous SharePoint vulnerabilities discovered in recent years.

 The Vulnerability Explained

CVE-2025-53770 is a remote code execution vulnerability affecting on-premises Microsoft SharePoint installations. This zero-day exploit stems from SharePoint’s improper handling of untrusted data deserialization, allowing attackers to execute malicious code without authentication. The vulnerability is a variant of the recently patched CVE-2025-49706, which was addressed in Microsoft’s July 2025 Patch Tuesday updates.

What makes this vulnerability particularly dangerous is its exploitation method known as “ToolShell.” This sophisticated attack chain combines CVE-2025-53770 with another vulnerability (CVE-2025-49704) to achieve complete system compromise. The attack requires no user interaction and can be executed remotely over the network, making it an attacker’s dream and a defender’s nightmare.

Severity and Impact Assessment

The severity of CVE-2025-53770 cannot be overstated. With a CVSS score of 9.8, this vulnerability poses an immediate and critical threat to organizations running on-premises SharePoint environments. Microsoft’s official guidance confirms that this vulnerability has been actively exploited and represents a significant risk to organizational security.

Current impact statistics reveal the scope of this threat based on confirmed security research:

• Over 85 SharePoint servers confirmed compromised worldwide
• 29 organizations affected, including multinational corporations and government entities
• Active exploitation detected since July 18, 2025
• CVE-2025-53771 security update available for SharePoint Subscription Edition

The vulnerability affects all on-premises SharePoint installations, including SharePoint Server 2019, SharePoint Enterprise Server 2016, and SharePoint Server Subscription Edition. Microsoft has confirmed that organizations using SharePoint Online as part of Microsoft 365 are not affected by this particular vulnerability.

Microsoft’s guidance emphasizes that this vulnerability enables deserialization of untrusted data, allowing unauthorized attackers to execute code over a network without authentication. The company has prioritized the development of security updates, with CVE-2025-53771 already available for SharePoint Subscription Edition customers and additional protections being developed for other supported versions.

How the Exploit Works

The ToolShell attack chain demonstrates sophisticated threat actor capabilities. Attackers begin by sending specially crafted POST requests to the vulnerable ToolPane endpoint at /_layouts/15/ToolPane.aspx. By manipulating the HTTP Referer header to include /_layouts/SignOut.aspx, attackers can bypass authentication mechanisms and gain unauthorized access.

Once initial access is achieved, attackers deploy a malicious ASPX payload named “spinstall0.aspx” to the SharePoint server. This payload serves a specific and dangerous purpose: extracting the server’s MachineKey configuration, including critical ValidationKey and DecryptionKey components. These cryptographic keys are essential for generating valid ViewState payloads in ASP.NET applications.

With access to these keys, attackers can craft malicious ViewState tokens using tools like ysoserial, effectively turning any authenticated SharePoint request into a remote code execution opportunity. This technique provides persistent access and allows for continued compromise even after the initial vulnerability might be patched.

(Demonstration of the created Microsoft SharePoint ToolShell exploit – Source: CODE WHITE GmbH)

 Threat Actor Attribution and Motives

While specific threat actor attribution remains under investigation, the sophisticated nature of the exploit suggests involvement by advanced persistent threat groups or skilled cybercriminals.The attack leverages a proof-of-concept demonstrated at Pwn2Own Berlin 2025 by Viettel Cyber Security researchers, which was later replicated and shared by CODE WHITE GmbH.

The timing of the attacks, beginning shortly after technical details were publicly shared, indicates opportunistic threat actors quickly weaponized available research. The scale and coordination of the campaign suggest organized groups with significant resources and capabilities.

Observed attack infrastructure includes several suspicious IP addresses:

• 107.191.58.76 (first observed July 18, 2025)
• 104.238.159.149 (observed July 19, 2025)
• 96.9.125.147 (confirmed by Palo Alto Networks)

 Organizations at Risk

CVE-2025-53770 poses an immediate and critical threat to any organization operating on-premises SharePoint environments. The vulnerability’s high CVSS score and active exploitation make it essential for organizations to understand their risk profile and take immediate protective action.

• Government agencies and public sector organizations using SharePoint for document management and collaboration face heightened risk due to extensive SharePoint deployments containing sensitive information, making them attractive targets for espionage and data theft
• Large enterprises and multinational corporations that rely heavily on SharePoint for internal collaboration, customer relationship management, and business process automation risk intellectual property theft, financial fraud, and significant operational disruption
• Financial institutions, healthcare organizations, and critical infrastructure operators face particular danger due to the sensitive nature of data typically stored in SharePoint environments and potential regulatory violations from data breaches
• Educational institutions and research organizations using SharePoint for academic collaboration and research data management should consider themselves high-priority targets, given the value of research data to foreign intelligence services and commercial competitors
• Manufacturing and technology companies with SharePoint-integrated supply chain and product development systems face risks of industrial espionage and competitive intelligence gathering

Organizations in these sectors must prioritize immediate protective measures and consider their SharePoint environments as critical assets requiring enhanced security monitoring and rapid response capabilities.

 Microsoft’s Emergency Guidance and Mitigations

Microsoft has released comprehensive guidance for organizations to protect against CVE-2025-53770 exploitation while developing additional security updates. The company’s recommendations provide both immediate protection measures and long-term security improvements for different SharePoint versions.

• Apply CVE-2025-53771 security update immediately for SharePoint Subscription Edition customers, as this update provides direct mitigation for the CVE-2025-53770 vulnerability
• Upgrade to supported versions of on-premises SharePoint Server, including SharePoint Server 2016, 2019, and SharePoint Subscription Edition for optimal protection
• Apply the latest security updates including the July 2025 Security Update to ensure all known vulnerabilities are addressed
• Configure AMSI integration properly with appropriate antivirus solutions such as Microsoft Defender Antivirus to detect and block malicious payloads in real-time
• Rotate SharePoint Server ASP.NET machine keys as a mandatory precautionary measure to invalidate any potentially compromised cryptographic material
• Monitor for spinstall0.aspx files in SharePoint layouts directories using Microsoft’s provided detection queries and file system monitoring

Microsoft emphasizes that organizations running SharePoint Online in Microsoft 365 are not affected by this vulnerability, which impacts only on-premises installations requiring immediate attention and protective measures.

(Malicious spinstall0.aspx used to steal ValidationKey – Source: BleepingComputer)

 Detection and Monitoring Strategies

Effective detection of CVE-2025-53770 exploitation requires comprehensive monitoring of SharePoint server activity and network traffic. Microsoft has provided detailed guidance and specific hunting queries to help organizations identify both active exploitation attempts and signs of successful compromise.

• Monitor for spinstall0.aspx file creation in SharePoint template layouts directories, as this indicates successful post-exploitation activity and immediate incident response activation
• Configure network monitoring for suspicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit with unusual referer headers or from external IP addresses
• Track process creation events where w3wp.exe spawns encoded PowerShell commands involving spinstall0 files or unusual SharePoint worker process activities
• Analyze IIS logs systematically for SharePoint servers, examining POST requests with unusual patterns, suspicious source addresses, or exploitation indicators
• Deploy real-time file system monitoring for SharePoint application directories, particularly focusing on the LAYOUTS template directories for unauthorized file creation
• Utilize Microsoft’s hunting queries to identify device vulnerabilities and track exploitation attempts across enterprise environments with detailed forensic capabilities

Organzations should implement these detection mechanisms as part of a layered security approach, ensuring multiple monitoring systems can identify exploitation attempts at different stages of the attack chain.

 Immediate Response and Remediation

Organizations discovering signs of CVE-2025-53770 exploitation must act immediately to contain the threat and prevent further damage. Microsoft’s updated guidance provides specific remediation steps that address both immediate containment and long-term security restoration.

• Apply CVE-2025-53771 security update immediately for SharePoint Subscription Edition customers, as this update directly mitigates the CVE-2025-53770 vulnerability and provides the most effective protection
• Isolate affected SharePoint servers immediately to prevent continued exploitation and limit potential lateral movement while preserving forensic evidence for analysis
• Rotate all SharePoint Server ASP.NET machine keys as a mandatory requirement, including ValidationKey, DecryptionKey, SSL certificates, and shared secrets used for inter-system communication
• Conduct comprehensive forensic analysis using Microsoft’s provided hunting queries to identify all instances of spinstall0.aspx payloads and associated PowerShell execution activities
• Examine SharePoint logs, file access records, and network traffic to understand the full scope of attacker activities and potential data exposure or exfiltration
• Implement network segmentation to prevent attackers from accessing other systems through compromised SharePoint servers and contain the incident
• Consider complete system rebuilds for severely compromised environments, rebuilding SharePoint servers from clean backups with Microsoft’s recommended security controls implemented
• Apply all security updates and AMSI configuration before bringing rebuilt systems back online to prevent re-compromise

Organizations must treat machine key rotation as critical since attackers specifically target these cryptographic keys to maintain persistent access even after patching, making credential rotation essential for complete remediation.

 Long-term Security Enhancements

Beyond immediate response to CVE-2025-53770, organizations should implement comprehensive security enhancements to protect against future SharePoint vulnerabilities and similar attacks. These improvements should address both technical controls and operational procedures to create a robust security posture.

• Strengthen network segmentation and access controls by implementing strict firewall rules, limiting administrative access, and deploying web application firewalls to filter malicious requests before reaching SharePoint servers
• Enhance vulnerability management processes with automated vulnerability scanning, clear patch management procedures, and regular security assessments of SharePoint environments to ensure rapid identification and remediation
• Expand security monitoring capabilities by implementing Security Information and Event Management (SIEM) solutions, deploying endpoint detection and response (EDR) tools, and establishing automated threat hunting capabilities
• Implement regular SharePoint security assessments including penetration testing, configuration reviews, and vulnerability assessments to identify potential security gaps before attackers can exploit them
• Establish comprehensive backup and recovery procedures with regular testing of backup integrity and restoration processes to ensure rapid recovery from potential future compromises
• Deploy advanced threat protection solutions including Microsoft Defender for Endpoint, advanced email security, and integrated threat intelligence to provide layered defense against sophisticated attacks
• Develop incident response playbooks specifically for SharePoint environments, including predefined response procedures, stakeholder communication plans, and recovery timelines
• Implement continuous security training programs for administrators and users to recognize potential threats and follow proper security procedures when working with SharePoint systems

Organizations must view SharePoint security as an ongoing commitment rather than a one-time implementation, requiring continuous monitoring, regular updates, and proactive security measures to defend against evolving threats.

 How CinchOps Can Help

CinchOps understands the critical nature of the CVE-2025-53770 threat and the urgent need for comprehensive protection strategies. Our managed cybersecurity services provide the expertise and resources necessary to defend against this vulnerability and similar threats targeting your organization’s infrastructure.

Our immediate response capabilities include rapid vulnerability assessment and exploitation testing to determine your organization’s exposure to CVE-2025-53770. We deploy advanced monitoring solutions to detect indicators of compromise and implement emergency mitigation measures to protect vulnerable SharePoint environments. For SharePoint Subscription Edition customers, CinchOps provides immediate assistance with applying the CVE-2025-53771 security update and validating proper implementation. Our security experts provide 24/7 monitoring and incident response services to ensure immediate threat detection and containment.

Comprehensive Cybersecurity Services:

• Managed IT Support and Infrastructure Management – Complete IT support services, network management, server administration, and technology infrastructure optimization
• Cybersecurity Consulting and Risk Assessment – Security audits, vulnerability assessments, risk analysis, and cybersecurity strategy development
• 24/7 Security Operations Center (SOC) Services – Continuous monitoring, threat detection, incident response, and security event management
• Endpoint Detection and Response (EDR) – Advanced endpoint protection, malware detection, and automated threat response capabilities
• Network Security and Firewall Management – Firewall configuration, intrusion detection systems, network segmentation, and perimeter security
• Email Security and Anti-Phishing Solutions – Advanced email protection, spam filtering, phishing prevention, and secure email gateway services
• Backup and Disaster Recovery Services – Data backup solutions, business continuity planning, disaster recovery testing, and rapid restoration capabilities
• Security Awareness Training – Employee cybersecurity education, phishing simulation, security best practices training, and ongoing awareness programs
• Cloud Security and Migration Services – Cloud security assessments, secure migration planning, cloud infrastructure protection, and hybrid environment management
• Penetration Testing and Vulnerability Management – Ethical hacking services, security testing, vulnerability scanning, and remediation guidance
• Digital Forensics and Incident Response – Forensic analysis, breach investigation, evidence collection, and incident containment services
• Identity and Access Management (IAM) – User authentication systems, privileged access management, single sign-on solutions, and access control implementation
• Security Information and Event Management (SIEM) – Log analysis, security event correlation, threat intelligence integration, and security monitoring platforms

CinchOps provides the strategic security partnership your organization needs to navigate complex threats like CVE-2025-53770. Our experienced team combines deep technical expertise with proven incident response capabilities to protect your critical business systems and sensitive data from evolving cyber threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Microsoft 365 Security: The Hidden Gap Between Perception and Reality
For Additional Information on this topic: Customer guidance for SharePoint vulnerability CVE-2025-53770

FREE CYBERSECURITY ASSESSMENT