Attackers are exploiting a zero-day variant (CVE-2025-53770) of a SharePoint remote code execution vulnerability (CVE-2025-49706) that Microsoft patched earlier this month, the company has confirmed on Saturday.

CVE-2025-53770 is being leveraged to place a backdoor on vulnerable on-premises SharePoint Servers and to grab the systems’ security keys, allowing the attackers full takeover of the machines.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

“AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition,” Microsoft noted.

“If enabling AMSI is not an option, you should remove access to the internet from the SharePoint server. We also recommend you deploy Defender for Endpoint to detect and block post-exploit activity.”

About CVE-2025-53770

CVE-2025-53770 stems from SharePoint’s deserializing of untrusted data, can lead to unauthenticated remote code execution with no user interaction required, and affects on-premises:

Microsoft SharePoint Server 2019

Microsoft SharePoint Enterprise Server 2016, and

Microsoft SharePoint Server Subscription Edition

Microsoft SharePoint as part of Microsoft 365 (i.e., SharePoint Online) is not vulnerable.

CVE-2025-53770 is a variant of CVE-2025-49706, an authentication bypass vulnerability that has been chained with CVE-2025-49704, a code injection vulnerability, to pull off “ToolShell”, an attack devised by Viettel Cyber Security researchers and demonstrated at the Pwn2Own contest in Berlin in May 2025.

Unfortunately, CODE WHITE GmbH researchers releasing a screenshot of the proof of concept exploit for the ToolShell attack and other researchers sharing additional technical details was apparently enough for attackers to find a variant of CVE-2025-49706, create an exploit chain of their own and start looking for and exploiting vulnerable internet-facing SharePoint servers.

CVE-2025-53770 exploitation in the wild

Dutch security outfit Eye Security says that the zero-day has been actively exploited since at least July 18.

“When our team began reviewing the impacted systems, we expected to find the usual suspects: standard web shells designed for command execution, file uploads, or lateral movement. Instead, what we discovered was more subtle, and arguably more dangerous: a stealthy spinstall0.aspx file whose sole purpose was to extract and leak cryptographic secrets from the SharePoint server using a simple GET request,” they shared.

“This wasn’t your typical webshell. There were no interactive commands, reverse shells, or command-and-control logic. Instead, the page invoked internal .NET methods to read the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.”

Eye Security says that within hours of detecting the initial compromise, they pinpointed more then dozens of servers compromised “using the exact same payload at the same filepath,” and began privately disclosing their findings to national CERTs accross the world and affected organizations across Europe.

Additional victim organizations have been identified by the Dutch Institute for Vulnerability Disclosure, Eye Security said on Sunday.

What to do?

Organizations that took their on-premises Sharepoint Server machine(s) off the internet or have enabled the AMSI integration and deploying Defender AV only after the intial wave of attacks should check their servers’ logs for indicators of compromise.

Eye Security has compiled (and is constantly updating) a list of IoCs and advised organizations to follow Microsoft’s customer guidance. Palo Alto Networks has also shares some IoCs.

Organizations that find evidence of compromise should isolate/shut down the affected servers and renew all credentials and system secrets that could have been exposed via the malicious ASPX.

“These keys allow attackers to impersonate users or services, even after the server is patched. So patching alone does not solve the issue, you need to rotate the secrets allowing all future tokens that can be created by the malicious actor become invalid,” Eye Security explained.

Some organizations may need to call in outside incident response experts to help investigate and contain the compromise.

“Attackers can maintain persistence through backdoors or modified components that survive reboots and updates. So please consult expert incident response services if in doubt,” the Dutch security outfit noted, and warned that because SharePoint often connects to core services like Outlook, Teams, and OneDrive, a breach can quickly lead to data theft, password harvesting, and lateral movement across the network.

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog and instructed all US federal civilian executive branch (FCEB) agencies to identify potentially affected systems and to apply mitigations by July 21 (i.e., tomorrow).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!