A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.

The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory released on July 19, 2025.

The Windows maker further noted that it’s preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

In a separate alert issued Saturday, Redmond said it’s aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 is not impacted.

Attackers exploiting this bug aren’t just injecting arbitrary code—they’re abusing how SharePoint deserializes untrusted objects, allowing them to execute commands even before authentication takes place. Once inside, they can forge trusted payloads using stolen machine keys to persist or move laterally, often blending in with legitimate SharePoint activity—making detection and response especially difficult without deep endpoint visibility.

In the absence of an official patch, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.

It’s worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

For those who cannot enable AMSI, it’s advised that the SharePoint Server is disconnected from the internet until a security update is available. For added protection, users are recommended to deploy Defender for Endpoint to detect and block post-exploit activity.

The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.

But given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it’s suspected that these attacks are related.

Eye Security said the wide-scale attacks it identified leverage CVE-2025-49706 to POST a remote code execution payload exploiting CVE-2025-49704. “We believe that the finding that adding “_layouts/SignOut.aspx” as HTTP referer, makes CVE-2025-49706 into CVE-2025-53770,” it said.

It’s worth mentioning here that the ZDI has characterized CVE-2025-49706 as an authentication bypass vulnerability that stems from how the application handles HTTP Referer header provided to the ToolPane endpoint (“/_layouts/15/ToolPane.aspx”).

The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.

The Dutch cybersecurity company said these keys are crucial for generating valid __VIEWSTATE payloads, and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.

“We are still identifying mass exploit waves,” Eye Security CTO Piet Kerkhofs told The Hacker News in a statement. “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”

More than 85 SharePoint servers globally have been identified as compromised with the malicious web shell as of writing. These hacked servers belong to 29 organizations, including multinational firms and government entities.

“__VIEWSTATE is a core mechanism in ASP.NET that stores state information between requests,” watchTowr CEO Benjamin Harris said. “It is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKey.”

“With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid—enabling seamless remote code execution. This approach makes remediation particularly difficulta—typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch.”

Harris also pointed out that it’s not yet clear whether some of the activity associated with CVE-2025-53770 may have been overlapping with or misattributed to CVE-2025-49704 or CVE-2025-49706.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert, said it’s aware of active exploitation of CVE-2025-53770, which enables unauthenticated access to SharePoint systems and arbitrary code execution over the network.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” said Acting Executive Assistant Director for Cybersecurity, Chris Butera. “Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

“This is an important example of operational collaboration in action for homeland and national security. This type of rapid identification and response to cyber threats is possible because of the trust and cooperation that has been built between the research community, technology providers, and CISA.”

It’s worth noting that Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We have also reached out to the company for further clarification, and we will update the story if we hear back.

(The story is developing. Please check back for more details.)