Two newly discovered zero-day vulnerabilities in Microsoft SharePoint Server are being actively exploited in the wild. The flaw, now confirmed to allow remote code execution without authentication, has already impacted dozens of enterprise and government systems. If your organization relies on an on-premise SharePoint setup, immediate action is critical.
What’s the Threat?
Security researchers uncovered two serious bugs: CVE-2025-53770 and CVE-2025-53771. Both flaws exploit how SharePoint handles deserialization of untrusted data.
Deserialization is the process of converting stored or transferred data back into executable objects—if tampered with, it can be used to inject malicious code.
In simple terms, attackers can send a malicious request that lets them execute arbitrary code on the server without even needing to log in. This kind of vulnerability is exactly what cybercriminals look for. Once inside, they can steal sensitive data, deploy persistent backdoors, or move laterally across networks.
Microsoft confirmed that these exploits are already being used in real-world attacks, with signs of active exploitation appearing on July 18, 2025.
Who’s Been Targeted So Far?
At least 85 servers have been compromised across sectors including government, energy, telecom, finance, and higher education. Of these, more than 75 belonged to large enterprises and U.S. government agencies.
As noted by Adam Meyers, Senior VP of Intelligence at CrowdStrike, “Anybody who’s got a hosted SharePoint server has got a problem. It’s a significant vulnerability.” Security analysts believe the nature and scope of the campaign suggest the involvement of a sophisticated, possibly state-sponsored group.
How the Exploit Works
The attackers use a web shell (typically named spinstall0.aspx) to plant malicious code onto vulnerable servers. This shell helps them extract the server’s MachineKey values, which are crucial for creating valid session tokens.
MachineKeys are cryptographic secrets used to sign authentication tokens—stealing them allows attackers to forge identities and bypass security checks. Even if the server is patched later, stolen keys allow hackers to maintain access and impersonate trusted users.
Security researchers have linked the campaign to a malware family known as “ToolShell.” It’s designed to harvest credentials, survive reboots, move laterally through networks, and evade detection.
Who Is Affected?
Only on-premise versions of Microsoft SharePoint Server are vulnerable. Specifically:
- SharePoint Server 2016
- SharePoint Server 2019
- SharePoint Subscription Edition
Cloud-based SharePoint Online (as part of Microsoft 365) is not impacted.
Microsoft’s Emergency Response
Microsoft released out-of-band emergency patches for some impacted versions:
- SharePoint Server 2019 — [Patch KB5002754 now available]
- SharePoint Subscription Edition — [Patch KB5002768 released]
- SharePoint Server 2016 — Patch not yet available
If you’re using SharePoint 2016, Microsoft advises isolating the server from external networks until a patch is released. In a statement to Reuters, Microsoft said, “We’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog on July 20 and issued a July 21 patch deadline for all U.S. federal agencies.
What You Should Do Now
If your organization uses on-prem SharePoint, here’s what to do immediately:
- Apply the Emergency Patches: Download and install the available updates for SharePoint 2019 and Subscription Edition. Delay could mean compromise.
- Enable Defender Antivirus + AMSI: Microsoft strongly recommends enabling Windows Defender and AMSI (Antimalware Scan Interface) to block further exploitation.
- Rotate MachineKey Values: This step is crucial. If your keys were stolen, patching won’t help unless you regenerate them.
- Scan for Web Shells: Stay on the lookout for suspicious files like spinstall0.aspx, especially in the _layouts directories. Check logs for unusual ToolPaneView=3 POST requests.
- Disconnect Vulnerable Servers: If a patch isn’t available for your SharePoint version, take the server offline to minimize exposure.
- Audit Lateral Movement: ToolShell is capable of surviving reboots and spreading through networks. Treat all systems communicating with compromised servers as potentially at risk.
Global Authorities Are on High Alert
The FBI, CISA, and other agencies in Canada and Australia are monitoring the campaign closely. CISA has urged urgent action to contain the threat. Charles Carmakal, CTO at Mandiant Consulting, emphasized:
“Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions.”
CISA’s directive isn’t just to patch, but also to verify the removal of web shells and rotate all relevant encryption keys post-update. Microsoft has echoed that message, warning that failure to rotate stolen keys could allow attackers to persist, even after patching.
Final Thoughts
If you’re running an on-prem SharePoint Server, consider this a red alert. Patch immediately where possible, isolate what you can’t, and rotate your keys as a precaution. Even after patching, attackers with stolen tokens may retain access—so thorough auditing is essential.
Anas Hasan
July 21, 2025
3 months ago
