A new zero-day vulnerability in Microsoft SharePoint, CVE-2025-53770, is actively exploited, leaving critical systems exposed worldwide. As of July 18th, at least 85 servers have been compromised, with attacks rapidly evolving from a previously patched vulnerability chain showcased at Pwn2Own Berlin 2025.
From ToolShell Demo to Real-World Threat
In May, cybersecurity researchers from Viettel Cyber Security demonstrated a powerful exploit chain—CVE-2025-49706 and CVE-2025-49704—which allowed remote code execution (RCE) in Microsoft SharePoint during the Pwn2Own Berlin competition. Microsoft addressed those flaws in July’s Patch Tuesday. However, a variant of CVE-2025-49706, now tracked as CVE-2025-53770, has emerged in active attacks.
Microsoft confirmed the threat, stating that only on-premises SharePoint Server installations are impacted, and emphasized that Microsoft 365 remains unaffected. A patch is in development, but no official fix is currently available.
Mitigation Measures and Immediate Recommendations
Microsoft urges SharePoint administrators to enable AMSI (Antimalware Scan Interface) integration and deploy Microsoft Defender Antivirus on all SharePoint servers. These steps will help block unauthenticated attackers from exploiting the flaw.
According to Microsoft, AMSI has been enabled by default since September 2023 on SharePoint Server 2016, 2019, and the Subscription Edition (Version 23H2). For organizations unable to enable AMSI, immediate disconnection from the internet is advised until a security update is released.
Admins are also encouraged to look for signs of compromise, such as the presence of the suspicious file:C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx.
Global Impact Confirmed: Enterprises and Governments at Risk
Dutch cybersecurity firm Eye Security was among the first to observe these exploits in the wild. It has confirmed at least 29 affected organizations, including multinational corporations and government entities.
The attackers exploit a deserialization vulnerability using crafted ViewState payloads generated via the open-source tool ysoserial. This is possible only after stealing cryptographic keys (ValidationKey and DecryptionKey) from compromised servers, allowing authenticated-looking requests that trigger remote code execution.
IIS logs from victims revealed POST requests targeting:/_layouts/15/ToolPane.aspx
With referers such as:/_layouts/SignOut.aspx
Threat actors are believed to upload the spinstall0.aspx file to exfiltrate critical cryptographic data, essentially hijacking the trust model of SharePoint’s state management.
IOCs and Ongoing Exploits
Security teams should watch for signs of exploitation from the following IP addresses:
- 107.191.58[.]76 (Eye Security, July 18)
- 104.238.159[.]149 (Eye Security, July 19)
- 96.9.125[.]147 (Palo Alto Networks)
Additionally, the existence of the spinstall0.aspx file, suspicious IIS POST activity, or unexpected system behavior should trigger an immediate incident response.
Conclusion
The active exploitation of CVE-2025-53770 highlights a severe and urgent threat to on-premises SharePoint environments. With no patch currently available and attackers already leveraging sophisticated methods, organizations must act immediately to implement mitigations, monitor for compromise, and isolate vulnerable systems. This developing threat once again underscores the critical need for proactive vulnerability management and real-time security monitoring in enterprise environments.
