Listen to this Post
A New SharePoint Crisis Emerges
A serious cyber threat is unfolding, targeting one of the most widely used enterprise platforms in the world: Microsoft SharePoint. A previously unknown zero-day vulnerability, tracked as CVE-2025-53770, is being actively exploited by attackers to hijack on-premises SharePoint servers. With over 85 servers already compromised and no patch currently available, organizations across the globe — including governments and multinational corporations — are facing a potentially devastating breach. This exploit allows remote code execution (RCE), putting sensitive data, system configurations, and critical business operations at severe risk.
Microsoft has issued an urgent advisory, recommending temporary mitigations like enabling AMSI (Antimalware Scan Interface) and deploying Defender AV, while working on a fix. This incident builds upon previously discovered flaws (CVE-2025-49706 and CVE-2025-49704), originally demonstrated in a high-profile ToolShell exploit at Pwn2Own Berlin. Now, attackers have weaponized a variant of those flaws to infiltrate unpatched SharePoint environments.
Cybersecurity firms like Eye Security and CODE WHITE GmbH have been tracking the campaign since mid-July. They’ve already identified 29 affected organizations and released detailed indicators of compromise (IOCs). What makes this attack particularly dangerous is the use of stolen cryptographic keys to create forged ViewState tokens, granting attackers unrestricted access and persistence on victim servers.
SharePoint Zero-Day Exploit Uncovered
A Vulnerability Born from Pwn2Own
The origin of this cyber campaign traces back to the Pwn2Own Berlin event, where security researchers from Viettel Cyber Security demonstrated a chained SharePoint attack using CVE-2025-49706 and CVE-2025-49704. Microsoft patched these vulnerabilities in July, but a new variant — CVE-2025-53770 — has emerged, and it is now being actively exploited in the wild.
Active Exploitation Begins
The first signs of trouble surfaced on July 18, when Dutch cybersecurity firm Eye Security received alerts from a client’s EDR (Endpoint Detection and Response) system. It detected malicious behavior linked to an uploaded .aspx file. This triggered a broader investigation, which revealed that attackers were exploiting SharePoint servers using POST requests directed at ToolPane.aspx, mimicking legitimate user behavior but with a malicious payload.
ToolShell Returns with a Vengeance
The attackers utilized the same unauthenticated RCE chain seen in ToolShell, but with an added twist. They uploaded a file called spinstall0.aspx, which was used to extract sensitive cryptographic materials, specifically the ValidationKey and DecryptionKey of the server. With these in hand, they could forge ViewState tokens using the popular ysoserial tool, effectively allowing them to run arbitrary commands as if they were trusted users.
Cryptographic Chaos
The vulnerability targets a fundamental feature of ASP.NET — ViewState. While designed to maintain session state across web interactions, if improperly secured, it becomes a vector for serialized payload injection. With control over the server’s cryptographic keys, attackers can generate legitimate-looking ViewState payloads that pass verification, enabling full server control without triggering alarms.
85+ Servers Breached, 29 Victim Organizations Identified
So far, over 85 compromised SharePoint servers have been discovered. However, further clustering of data by Eye Security suggests that 29 organizations have been hit, some of which are government agencies and large multinational corporations. This raises concerns over the scale and severity of the campaign.
Microsoft Responds, But Patch Still Pending
Microsoft has confirmed that the flaw does not impact Microsoft 365 and is currently only affecting on-premises SharePoint servers. To mitigate the risk, it advises enabling AMSI, which has been on by default since the September 2023 updates. However, for systems where AMSI cannot be activated, Microsoft strongly urges disconnecting servers from the internet until a security update is released.
Detecting the Breach
Administrators are advised to check for the presence of the suspicious file spinstall0.aspx and review IIS logs for POST requests to ToolPane.aspx with the referer SignOut.aspx. Microsoft also shared a Defender query to search for these traces within endpoint telemetry.
Indicators of Compromise (IOCs)
Multiple IP addresses have been linked to the attacks:
107.191.58[.]76 (July 18)
104.238.159[.]149 (July 19)
96.9.125[.]147 (Palo Alto Networks)
These addresses have been seen attempting exploitation across different organizations. Presence of these or the spinstall0.aspx file is a strong indication of compromise.
What Undercode Say:
A Silent Takeover of Critical Infrastructure
This SharePoint zero-day attack underscores how a single flaw in widely adopted enterprise software can ripple across the globe in days. What makes CVE-2025-53770 particularly insidious is not just the RCE capability, but how it allows attackers to seize full cryptographic control of the server — essentially rewriting the rules of authentication from within. This level of privilege escalation is rare and extremely dangerous, especially when no user interaction is needed.
The Race Against Patches
In the cybersecurity world, timing is everything. Once vulnerabilities are disclosed publicly or demonstrated at conferences like Pwn2Own, malicious actors race to exploit them before patches are rolled out. This case highlights the urgency of implementing mitigations immediately after a vulnerability disclosure, even if the exploit hasn’t been weaponized — because it will be.
AMSI Isn’t Enough Alone
While AMSI offers a critical layer of real-time protection, it is not a bulletproof shield. Advanced threat actors often design payloads that bypass detection by obfuscating code or using fileless techniques. Moreover, organizations relying on older configurations or custom SharePoint deployments may not benefit fully from AMSI unless explicitly configured.
ViewState Attacks are Back
Exploitation of ViewState isn’t new, but it’s rare to see it used with such precision and impact in modern attacks. The attackers’ use of ysoserial to forge signed tokens demonstrates a shift back toward exploiting trusted .NET internals, an area many security teams overlook in favor of newer technologies.
Global Target, Local Impact
The range of organizations affected — from small enterprises to national governments — speaks volumes about how widespread SharePoint still is in internal IT infrastructures. And while Microsoft 365 users are safe for now, on-premises deployments are still heavily relied upon in sectors like finance, law, defense, and energy.
Firewall and Signature Limitations
Though some firewall vendors have succeeded in blocking HTTP POST payloads related to CVE-2025-49704, experts warn that the evolving nature of these exploits means that signature-based detection will eventually fail. The attackers have already demonstrated the ability to bypass conventional security tools, suggesting that deeper behavioral monitoring is required.
Why Detection Is Difficult
Because the attack mimics legitimate SharePoint behavior and exploits existing trust mechanisms (like cryptographic keys and token generation), it often evades traditional detection. This makes it a perfect example of a “living-off-the-land” attack, where the attacker leverages native features of the platform to stay hidden.
Enterprise Takeaways
CISOs must act swiftly — isolate vulnerable systems, audit for IOCs, deploy mitigations, and monitor unusual behavior closely. This exploit chain is a reminder that internal systems can be the Achilles’ heel of an organization, especially if they’re not regularly updated or protected by modern EDR/XDR tools.
🔍 Fact Checker Results:
✅ CVE-2025-53770 is a verified zero-day with active exploitation confirmed by Microsoft
✅ 85+ SharePoint servers have been compromised, including 29 major organizations
❌ No patch is available yet; only mitigations are currently advised
📊 Prediction:
🧠 If a patch is not released in the next two weeks, we expect the number of compromised servers to double, especially in industries with legacy SharePoint deployments.
🌐 Given the widespread use of ViewState in ASP.NET environments, similar exploitation techniques could soon be adapted to other .NET-based enterprise platforms.
🛡️ Security vendors will likely release emergency updates to their detection engines, but attackers may already be pivoting to exploit other internal services tied to SharePoint.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
