Critical SharePoint On-Premises Zero-Day Attack: Details and Remediation Recommendations

  • By Shawn Voong
  • |  
SharePoint, Zero‑Day Attack, ToolShell
A critical zero-day vulnerability, tracked as CVE-2025-53770, is being actively exploited in Microsoft SharePoint Server on-premises installations, posing a severe threat to organizations worldwide. This vulnerability, a variant of the previously patched CVE-2025-49706, allows unauthenticated attackers to execute remote code without user interaction, compromising sensitive data and enabling persistent access. Another related vulnerability, CVE-2025-53771, has also been identified. This blog post details the attack, its timeline, technical aspects, and current remediation strategies, drawing from recent reports and information.

What: Nature of the Attack

The ToolShell exploit chain targets on-premises SharePoint Server instances, exploiting a deserialization vulnerability (CVE-2025-53770) to achieve unauthenticated remote code execution (RCE). Attackers can gain full control over affected systems, steal cryptographic keys (ValidationKey and DecryptionKey), and craft valid __VIEWSTATE payloads to maintain persistent access or move laterally across networks. This vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition but does not impact SharePoint Online in Microsoft 365. A related spoofing flaw, CVE-2025-53771 (CVSS score: 6.3), involves path traversal and further exacerbates the threat. The attack has compromised at least 75 organizations globally, including U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm.

Where: Affected Systems

The vulnerabilities exclusively target on-premises SharePoint Server deployments, specifically:
  • SharePoint Server 2016 (versions prior to 16.0.5508.1000)
  • SharePoint Server 2019 (versions prior to 16.0.10417.20027)
  • SharePoint Server Subscription Edition (versions prior to 16.0.18526.20424)
Internet-facing SharePoint servers are particularly at risk, with attackers scanning for vulnerable instances. Over 8,000 servers were scanned, and at least 54–85 organizations have been confirmed compromised, though the true scope may be larger.

When: Timeline of the Attack

  • May 2025: The ToolShell exploit chain, combining CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (code injection), was demonstrated at Pwn2Own Berlin by Viettel Cyber Security. Microsoft patched these flaws in the July 2025 Patch Tuesday.
  • July 2025: Partial technical disclosures by CODE WHITE GmbH and researcher Soroush Dalili enabled attackers to develop a new exploit, CVE-2025-53770, bypassing the July patches.
  • July 18, 2025: Dutch cybersecurity firm Eye Security detected active exploitation at 6:00 PM CET, marking the start of mass attacks. A second wave began on July 19 at 07:28 CET from IP 104.238.159.149.
  • July 19, 2025: Microsoft issued an advisory acknowledging active attacks and the absence of a patch for CVE-2025-53770.
  • July 20, 2025: CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to mitigate by July 21. Microsoft released patches for SharePoint Server 2019 and Subscription Edition, with SharePoint Server 2016 patches still in development.
  • July 21, 2025: Ongoing reports confirmed widespread compromises across federal, energy, and private sectors.

How: Technical Details of the Exploit

The attack leverages a deserialization flaw in SharePoint’s handling of untrusted data, allowing attackers to execute arbitrary code without authentication. Key technical aspects include:
  • Exploit Mechanism: Attackers target the /_layouts/15/ToolPane.aspx endpoint with a POST request, using /_layouts/SignOut.aspx as the HTTP referer to bypass authentication (CVE-2025-53770). This exploits SharePoint’s trust in its configuration to execute malicious payloads.
  • Payload Delivery: A malicious file, spinstall0.aspx, is uploaded to the path C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS. This file extracts the server’s MachineKey configuration (ValidationKey and DecryptionKey), enabling attackers to forge valid __VIEWSTATE payloads for persistent RCE. The file’s SHA256 hash is 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514.
  • Attack Impact: Once compromised, attackers can:
    • Access SharePoint’s file systems and internal configurations.
    • Deploy persistent backdoors for continued access.
    • Move laterally to connected services like Outlook, Teams, and OneDrive, facilitating data theft and password harvesting.
  • Indicators of Compromise (IoCs):
    • File Creation: Presence of spinstall0.aspx in the specified path.
    • Network Activity: Exploitation attempts from IPs 107.191.58.76, 104.238.159.149, and 96.9.125.147 (July 17–19, 2025).
    • IIS Logs: Monitor for POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with a referer of /_layouts/SignOut.aspx.
  • Exploit Sophistication: The attack blends with legitimate SharePoint activity, making detection challenging without deep endpoint visibility. Stolen cryptographic keys allow attackers to persist even after patching, as patches do not rotate these keys.

Current Remediation Recommendations

Microsoft and CISA have provided urgent mitigation steps to protect on-premises SharePoint servers. Organizations should assume compromise and act immediately.

Immediate Actions

  1. Apply Available Patches:
    • SharePoint Server 2019: Install KB5002754 (version 16.0.10417.20027).
    • SharePoint Server Subscription Edition: Install KB5002768 (version 16.0.18526.20424).
    • SharePoint Server 2016: Patches are not yet available; monitor Microsoft’s MSRC blog for updates.
  2. Enable Antimalware Scan Interface (AMSI):
    • Ensure AMSI integration is enabled (default since September 2023 updates for SharePoint 2016/2019 and Version 23H2 for Subscription Edition).
    • Deploy Microsoft Defender Antivirus across all SharePoint servers in Full Mode for optimal protection.
  3. Deploy Microsoft Defender for Endpoint:
    • Use Defender for Endpoint or equivalent solutions to detect and block post-exploit activity, such as webshell installation or lateral movement.
  4. Disconnect Internet-Facing Servers:
    • If AMSI cannot be enabled or patches are unavailable, disconnect SharePoint servers from the internet to prevent further exploitation.
  5. Rotate Machine Keys:
    • After applying patches or enabling AMSI, rotate SharePoint’s ASP.NET machine keys (ValidationKey and DecryptionKey) to invalidate stolen keys.
    • Restart IIS on all SharePoint servers using iisreset.exe post-rotation.
  6. Monitor and Hunt for Compromise:
    • Check for the presence of spinstall0.aspx using Microsoft 365 Defender queries:
    • Monitor IIS logs for suspicious POST requests and scan network logs for activity from the identified IPs.
  7. Update Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF):
    • Block exploit patterns and anomalous behavior targeting /_layouts/15/ToolPane.aspx.
  8. Conduct Incident Response:
    • Engage professional incident response teams to assess compromise scope, as attackers may have established persistent access. Check logs for activity prior to mitigation to identify breaches.

Long-Term Recommendations

  • Upgrade to Supported Versions: Use supported SharePoint versions (2016, 2019, or Subscription Edition) to ensure patch availability.
  • Implement Comprehensive Logging: Follow CISA’s Best Practices for Event Logging and Threat Detection to identify exploitation attempts.
  • Consider Cloud Migration: Transition to SharePoint Online, which is unaffected, to reduce exposure to on-premises vulnerabilities.
  • Follow Cyber Hygiene Best Practices: Implement CISA’s Top 10 IT Security Actions, including regular patching and key rotation.

Conclusion

The CVE-2025-53770 and CVE-2025-53771 vulnerabilities represent a critical threat to on-premises SharePoint Server environments, with mass exploitation underway since July 18, 2025. Organizations must act swiftly to apply patches, enable AMSI, rotate cryptographic keys, and monitor for compromise. The attack’s ability to steal keys and persist post-patching underscores the need for thorough incident response and proactive security measures. 
For additional details, refer to Microsoft’s customer guidance at https://msrc.microsoft.com and CISA’s advisory at https://www.cisa.gov.

Sources

  1. CISA Alert on SharePoint Vulnerability (CVE-2025-53770)
  2. Help Net Security: Microsoft SharePoint Servers Under Attack
  3. The Hacker News: Critical Unpatched SharePoint Zero-Day
  4. BleepingComputer: Microsoft SharePoint Zero-Day Exploited
  5. Tenable Blog: CVE-2025-53770 FAQ
  6. Eye Security: ToolShell Mass Exploitation (CVE-2025-53770)
  7. Microsoft Security Response Center (MSRC) Blog: Customer Guidance for CVE-2025-53770
  8. Canadian Centre for Cyber Security: Vulnerability Update
  9. Cybersecurity News: SharePoint 0-Day RCE Vulnerability
  10. Security Affairs: SharePoint Zero-Day Exploited
  11. Strobes Security: CVE-2025-53770 Overview

Stay updated via Microsoft’s MSRC blog and CISA advisories for further patches, especially for SharePoint Server 2016.

TeckPath News

Related Articles

Contact us

We are fully invested in every one of our customers.!

Our focus has always been to be your strategic partner. This approach has helped develop a reliable and tangible process in meeting our client’s needs today and beyond.

Our dedicated team is here to support businesses from 1 – 200+ users starting today.

Call us at: +1 (800) 772 8593
Your benefits:
  • Client-oriented
  • Independent
  • Competent
  • Results-driven
  • Problem-solving
  • Transparent
What happens next?
1

We Schedule a call at your convenience 

2
We do a discovery and consulting meeting
3

We prepare a proposal 

Schedule a Free Consultation