Critical Zero-day vulnerability in SharePoint Server allows attackers to control numerous systems

Overview

On July 18, 2025, a zero-day vulnerability (CVE-2025-53770) was discovered in Microsoft SharePoint Server. This vulnerability is considered an upgraded variant of a previously patched vulnerability CVE-2025-49704 (also in early July), but the patch was not entirely effective, allowing hacker groups to bypass and actively exploit it.

The main attack focus of the hacker groups is on SharePoint Server on-premises (2016, 2019, Subscription Edition), while cloud services like SharePoint Online in Microsoft 365 are not affected.

According to Eye Security, at least 85 servers have been compromised, while other sources suggest that around 100 organizations worldwide have been affected, with potentially 8,000–10,000 servers vulnerable to attack. Victims include U.S. government agencies, states, universities, energy companies, financial institutions, and multinational corporations.

Why is the vulnerability dangerous?

• Allows unauthenticated remote code execution, enabling hackers to "enter" the server without a password.

• Skillfully hides itself by exploiting internal mechanisms to mimic legitimate requests.

• Difficult to handle, because after being exploited, hackers can use stolen keys to continue attacks, even if the system has been patched.

Vulnerability Description

• Vulnerability Code: CVE‑2025‑53770 (RCE)

• CVSS Score: 9.8/10, indicating an extremely critical level

• Affected Scope: This vulnerability affects multiple versions of SharePoint

  • SharePoint Server Subscription Edition (SP SE)

  • SharePoint Server 2019

  • SharePoint Server 2016

• Attack Mechanism: Attackers can perform Remote Code Execution without authentication (pre-auth) due to unreliable data deserialization in Microsoft SharePoint Server

• Consequences: Successful exploitation of the vulnerability can allow attackers to gain full control of the SharePoint Server.

Vulnerability Details

Initially, as mentioned, the cause of the CVE-2025-53770 vulnerability is due to unreliable data deserialization in Microsoft SharePoint Server. Hackers can exploit the vulnerability to execute remote code without authentication on affected Microsoft SharePoint installations.

To effectively carry out the campaign, experts have identified another vulnerability, CVE‑2025‑53771, used by hackers in the initial step to bypass authentication. Here, the attacker sends POST requests to the target endpoint: ToolPane, exploiting this vulnerability to access resources beyond the allowed scope.

Along with the header Referer: /_layouts/SignOut.aspx, this helps attackers easily bypass SharePoint's internal authentication checks. After bypassing, the attacker continues by sending a malicious payload in the form of serialized ViewState in the HTTP body. Naturally, when SharePoint attempts to deserialize, the malware will execute without authentication.

These payloads will initiate a web shell ASPX named "spinstall0.aspx" in the directory: ...\TEMPLATE\LAYOUTS\spinstall0.aspx to steal the MachineKey configuration of the Microsoft SharePoint server, including the ValidationKey and DecryptionKey.

This web shell used the .NET API to retrieve cryptographic keys in web.config, allowing the creation of new ViewState payloads that are correctly signed. Once the MachineKey is obtained, it enables the attacker to forge valid ViewState and gain full control of SharePoint.

Finally, the web shell will maintain access and download additional tools to carry out further campaigns as desired. Throughout the process of maintaining login access, the attacker frequently uses IP addresses: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147. These are all malicious C2 domains containing:

• Backdoor ASPX (spinstall0.aspx) downloaded from this server

• Base64 encoded PowerShell payload

• Shell controller or connection maintenance tool (reverse shell)

Conclusion

The “ToolShell” event related to the vulnerability reminds us of the 2021 Exchange attack (with an estimated 250,000 servers affected), showing that weaknesses in the SharePoint system can still make Microsoft a major target for APT groups.

Even though Microsoft has provided a patch, organizations still need to resist deep intrusions by inspecting systems and isolating servers, rather than just updating. This also serves as a reminder for the IT community to monitor patch status, respond quickly, and enhance proactive security controls.

Recommendations

1. Upgrade Microsoft patches

   • SharePoint Subscription Edition (KB5002768)

   • SharePoint 2019 (KB5002754 + KB5002753 language pack)

   • SharePoint 2016 (KB5002760 + KB5002759 language pack), currently in testing

\=> Patch links

• Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center

• Download Security Update for Microsoft SharePoint Server 2019 Core (KB5002754) from Official Microsoft Download Center

2. If unable to upgrade patches

   • Temporarily disconnect SharePoint Server from the internet.​

   • Enable the Antimalware Scan Interface (AMSI) feature – available from the September 2023 update onwards.​

   • Install Microsoft Defender Antivirus and Defender for Endpoint to monitor post-exploitation behavior.​

   • Enhance network and system log monitoring, especially for unusual access from tools like PowerShell.​

IOC

1. IP Addresses

   • 107.191.58[.]76

   • 104.238.159[.]149

   • 96.9.125[.]147

2. Hash

   • 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

References

1. Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers

2. Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

3. Zero-day exploitation in the wild of Microsoft SharePoint servers via CVE-2025-53770