Unpatched Microsoft SharePoint Zero-Day Exploited in Active RCE Attacks
July 21st, 2025
Critical
Our Cyber Threat Intelligence Unit has been monitoring two critical zero-day vulnerabilities in Microsoft SharePoint, identified as CVE-2025-53770 and CVE-2025-53771, which have been actively exploited since June 18th, 2025. These vulnerabilities impact on-premises SharePoint servers and allow threat actors to bypass previous security patches for related vulnerabilities (CVE-2025-49706 and CVE-2025-49704). So far, at least 85 servers have been compromised across both public and private sectors, including government agencies. In response, Microsoft and CISA strongly recommend applying the latest updates, enabling AMSI and Microsoft Defender, rotating cryptographic machine keys, and conducting comprehensive assessments of potential compromises to mitigate further exposure and risk.
Technical Details
CVE-ID: CVE-2025-53770, CVE-2025-53771.
CVSS Score: 9.5 (Critical).
Vulnerability Type: Remote Code Execution (RCE) via View State forgery and cryptographic key disclosure.
Component Affected: Microsoft SharePoint Server (on-premises).
Affected Versions:
Microsoft SharePoint Server 2016 (on-premises) — patch pending.
Microsoft SharePoint Server 2019 (on-premises) — patched with KB5002754.
Microsoft SharePoint Subscription Edition (on-premises) — patched with KB5002768.
CVE-2025-53770 and CVE-2025-53771 are critical zero-day exploit chains that bypass previous fixes for CVE-2025-49706 and CVE-2025-49704, initially associated with the "ToolShell" exploit demonstrated during Pwn2Own Berlin 2025.
Threat actors exploit these vulnerabilities by uploading a malicious ASPX file (spinstall0.aspx) to compromised SharePoint servers. This file allows them to extract the server’s MachineKey configuration, including both the ValidationKey and DecryptionKey. Once these keys are obtained, attackers can forge valid VIEWSTATE tokens using tools like ysoserial, allowing remote code execution through manipulated ViewState payloads.
The exploitation process typically involves sending HTTP POST requests to the _layouts/15/ToolPane.aspx endpoint, with a referer header pointing to _layouts/SignOut.aspx. Notably, these vulnerabilities only impact on-premises SharePoint environments. SharePoint Online remains unaffected.
Impact
Unauthenticated Remote Code Execution (RCE): Threat actors can execute arbitrary commands on vulnerable SharePoint servers without authentication, allowing complete system compromise.
No User Interaction Required: Exploitation occurs without any end-user interaction, increasing the stealth and efficiency of the attack.
Network-Accessible Exploitation: Any exposed on-premises SharePoint server is susceptible to remote exploitation over the network.
Critical Threat to Enterprise Environments: Successful exploitation may result in complete server compromise, unauthorized access to sensitive data, lateral movement, and operational disruption across affected environments.
Global Scope of Compromise: Over 85 SharePoint servers across at least 54 organizations have been breached worldwide.
Broad Victim Demographics: Affected entities include multi-national corporations, national government agencies, educational institutions, energy sectors, healthcare organizations, AI research firms, and financial technology companies.
Persistence via Cryptographic Abuse: Adversaries leverage stolen MachineKey configurations to forge valid authentication tokens, enabling persistent, stealthy access.
Evasion of Security Controls: While some firewall solutions detect and block known exploit signatures, attackers have demonstrated the ability to bypass these defenses, increasing the risk of further compromise.
Privilege Escalation and Lateral Movement: Initial access gained through these vulnerabilities can be used to escalate privileges and pivot to other critical systems within the network.
Detection Method
File System Inspection: Scan SharePoint servers for the presence of “spinstall0.aspx” on SharePoint servers in the following path:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\
IIS Log Monitoring: Review IIS logs for HTTP POST requests to _layouts/15/ToolPane.aspx with a referer header set to _layouts/SignOut.aspx.
Network Traffic Inspection: Monitor network traffic for suspicious HTTP POST requests to SharePoint endpoints, particularly from known malicious IP addresses.
EDR/AV Alerts: Ensure endpoint detection tools are configured to flag unusual .aspx file activity, anomalous SharePoint processes, and AMSI-based script detections.
Malicious IP Correlation: Cross-reference traffic logs for communication with the following IP addresses associated with exploitation attempts:
107.191.58[.]76
104.238.159[.]149
103.186.30[.]186
96.9.125[.]147
SIEM Rule Configuration: Configure detection rules to alert on anomalous SharePoint activity, including forged ViewState tokens, unusual authentication flows, and suspicious requests to SharePoint web services.
PowerShell and Event Log Analysis: Review the following for signs of suspicious PowerShell commands interacting with SharePoint or attempts to deploy the malicious ASPX payload:
Event ID 4104 (PowerShell script block logging).
Event ID 4688 (Process creation).
Indicators of Compromise
Type | Indicator | Description |
File Path | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx | Malicious ASPX payload used to extract MachineKey configuration. |
File Name | spinstall0.aspx | Malicious ASPX file uploaded by attackers. |
File Hash | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | Confirmed malicious hash for spinstall0.aspx |
URL Path | /_layouts/15/ToolPane.aspx | Legitimate endpoint used in exploitation via HTTP POST requests. |
Referer Header | /_layouts/SignOut.aspx | Legitimate referer header used during malicious POST request chain. |
IP Address | 107.191.58[.]76 | Confirmed malicious IP. |
IP Address | 104.238.159[.]149 | Confirmed malicious IP. |
IP Address | 103.186.30[.]186 | Confirmed malicious IP. |
IP Address | 96.9.125[.]147 | Confirmed malicious IP. |
Event Log ID | 4104 | PowerShell Script Block Logging. Suspicious activity indicator. |
Event Log ID | 4688 | Process Creation Event. Potential indication of payload execution or lateral movement behavior. |
Recommendations
Apply Security Updates Immediately:
For SharePoint Subscription Edition, install KB5002768 to update to build 16.0.18526.20424, which addresses both CVE-2025-53770 and CVE-2025-53771.
For SharePoint Server 2019, install KB5002754 and the accompanying language pack KB5002739 to reach build 16.0.10417.20027, which remediates both vulnerabilities.
Block all IPs and Files listed in the IOC section above.
Enable AMSI Integration: Activate Antimalware Scan Interface (AMSI) integration in SharePoint to allow real-time scanning and blocking of malicious scripts at runtime.
After patching or enabling AMSI, immediately rotate cryptographic MachineKey values to invalidate any previously compromised keys. This can be done via:
PowerShell: Update-SPMachineKey
Central Administration: Run the Machine Key Rotation job, then restart IIS using iisreset.exe.
Isolate if Patching Is Not Immediately Feasible: If patching or AMSI activation is delayed, disconnect vulnerable SharePoint servers from external networks to limit exposure to remote exploitation.
Configure/update IDS/IPS rules: To flag or block suspicious HTTP POST requests that match the known exploitation pattern.
Conduct Compromise Assessments: For known indicators associated with the ongoing SharePoint exploitation:
Check for the presence of the malicious file “spinstall0.aspx” at: C:\Program Files\Common Files\MicrosoftShared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx
Review IIS logs for suspicious POST requests to /_layouts/15/ToolPane.aspx with a referer of /_layouts/SignOut.aspx, which are associated with observed exploitation attempts.
SharePoint Server 2016 Patch Pending: SharePoint Server 2016 remains vulnerable; the current July 2025 update (16.0.5508.1000) does not address these CVEs. A dedicated patch is expected from Microsoft. Until then, implement compensating controls to reduce exposure.
Conclusion
The recently disclosed zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) pose a critical and actively exploited threat to on-premises environments. By using forged ViewState payloads, attackers can achieve unauthenticated remote code execution, even on systems that have already been patched. With confirmed compromises across dozens of organizations worldwide, this exploitation campaign highlights the urgency of taking immediate defensive measures. We urge organizations to apply emergency patches, enable AMSI, and rotate cryptographic machine keys to disrupt attacker persistence and reduce ongoing risks. Prompt remediation and proactive threat hunting are essential for preventing further compromise.