Critical SharePoint Zero-Day Exploited

The active exploitation campaign targeting CVE-2025-53770 in Microsoft SharePoint Server demonstrates a sophisticated attack vector that leverages a fundamental weakness in how the software processes data.

 

Attackers exploiting this bug are not merely injecting arbitrary code; they are specifically abusing how SharePoint deserializes untrusted objects. Deserialization is the process of converting data from a stream of bytes back into an object in memory. When this process handles “untrusted data” without proper validation, it can create a critical security flaw.

 

The severity of this deserialization vulnerability is compounded by its ability to facilitate code execution even before authentication takes place. This pre-authentication access means that attackers do not need to steal user credentials or find a way to log in. They can simply send a specially crafted malicious payload to the vulnerable SharePoint server, and if the deserialization flaw is successfully exploited, their code will execute. This “unauthenticated remote code execution” is among the most dangerous types of vulnerabilities, as it significantly lowers the bar for attackers to gain initial access to a system.

 

Once inside a compromised SharePoint server, the attackers are employing advanced post-exploitation techniques to maintain their foothold and expand their control. A key tactic involves forging trusted payloads using stolen machine keys. SharePoint servers, like many web applications, use cryptographic keys (often referred to as “MachineKey” configurations, including ValidationKey and DecryptionKey) for various security functions, such as signing and encrypting view state data (a common ASP.NET mechanism).

 

By stealing these keys, attackers can essentially “sign” their own malicious data as if it were legitimate, allowing them to “persist or move laterally” within the compromised network. This persistence means they can regain access even if a server is rebooted, and lateral movement allows them to spread to other connected systems.

 

What makes detection and response particularly challenging is that these malicious activities often “blend in with legitimate SharePoint activity.” The forged payloads and the use of stolen keys make it difficult for standard security tools to differentiate between legitimate system operations and malicious commands. This camouflage significantly hampers security teams, making “detection and response especially difficult without deep endpoint visibility.” Organizations need advanced endpoint detection and response (EDR) solutions that can monitor low-level system processes and identify anomalous behavior that might otherwise be overlooked by traditional antivirus or intrusion detection systems.

 

The Dutch cybersecurity firm Eye Security has provided granular insights into these wide-scale attacks. Their findings suggest that the attacks leverage a chain of vulnerabilities, specifically exploiting CVE-2025-49706 (the spoofing bug) to deliver a remote code execution payload that then exploits CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint. This exploit chain has been codenamed “ToolShell.” Given that CVE-2025-53770 is described as a “variant” of CVE-2025-49706, it is strongly suspected that these actively observed attacks are indeed related to the newly identified zero-day.

 

Eye Security’s analysis suggests a specific bypass for CVE-2025-49706 that elevates it to the criticality of CVE-2025-53770: they “believe that the finding that adding “_layouts/SignOut.aspx” as HTTP referer, makes CVE-2025-49706 into CVE-2025-53770.” This indicates a specific HTTP header manipulation that transforms a lower-severity spoofing bug into a critical remote code execution vulnerability.

 

The Zero Day Initiative (ZDI), which was credited by Microsoft for the discovery, had previously characterized CVE-2025-49706 as an authentication bypass vulnerability. This bypass stems from how the SharePoint application handles the HTTP Referer header when provided to the ToolPane endpoint (/_layouts/15/ToolPane.aspx). This endpoint is a legitimate part of SharePoint’s administration interface, making it an attractive target for attackers.

 

The malicious activity involves delivering ASPX payloads via PowerShell. ASPX (Active Server Pages eXtended) files are web pages that contain server-side scripts, and delivering them allows attackers to execute commands directly on the web server. This payload is then used to steal the SharePoint server’s MachineKey configuration, which critically includes the ValidationKey and DecryptionKey. These keys are fundamental cryptographic secrets used by ASP.NET applications to ensure the integrity and confidentiality of view state data. By possessing these keys, attackers can maintain persistent access to the compromised server.

 

As Eye Security noted, these keys are “crucial for generating valid __VIEWSTATE payloads.” The __VIEWSTATE mechanism is a core component of ASP.NET that helps web applications maintain state information between different user requests. It is cryptographically signed (using the ValidationKey) and optionally encrypted (using the DecryptionKey). With the MachineKey in hand, attackers can “craft forged __VIEWSTATE payloads that SharePoint will accept as valid—enabling seamless remote code execution.”

 

This means that any subsequent authenticated SharePoint request can be manipulated by the attacker to execute arbitrary commands, making remediation exceptionally difficult. As watchTowr CEO Benjamin Harris highlighted, “a typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch.” This implies that even after Microsoft releases a patch, affected organizations may need to perform additional steps, such as regenerating and replacing their MachineKey, to fully mitigate the risk.

 

Eye Security CTO Piet Kerkhofs warned about the ongoing nature of the threat: “We are still identifying mass exploit waves. This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.” This emphasizes the rapid nature of the compromise and the potential for widespread network infiltration. As of the time of reporting, more than 85 SharePoint servers globally have been identified as compromised with malicious web shells. These hacked servers belong to at least 29 distinct organizations, including both multinational firms and government entities, highlighting the broad impact and high-value targets.

 

Benjamin Harris also raised a valid point about potential overlap or misattribution, noting that it’s “not yet clear whether some of the activity associated with CVE-2025-53770 may have been overlapping with or misattributed to CVE-2025-49704 or CVE-2025-49706.” This is a common challenge in incident response, where complex exploit chains can make it difficult to definitively categorize and isolate the specific vulnerabilities being leveraged. Regardless of the exact chaining, the outcome is clear: unauthenticated remote code execution.

 

Immediate Mitigation and Official Response

In the critical absence of an official patch for CVE-2025-53770, Microsoft is strongly urging affected customers to implement immediate mitigation strategies to protect their on-premises SharePoint servers. These measures are designed to limit the attack surface and detect potential post-exploitation activity.

 

The primary recommendations from Microsoft include:

• Configure Antimalware Scan Interface (AMSI) Integration in SharePoint: AMSI is a versatile interface that allows applications and services to integrate with any antimalware product present on a machine. By enabling AMSI integration in SharePoint, the system can send content (like scripts or payloads) for real-time scanning by an installed antivirus solution before it is executed. This can help detect and block malicious scripts or web shells dropped by attackers. It’s important to note that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. Organizations running older versions or those that may have manually disabled AMSI should prioritize verifying and enabling this feature.
• Deploy Defender AV on all SharePoint Servers: Microsoft Defender Antivirus (Defender AV) is Microsoft’s built-in antimalware solution. Deploying and ensuring it is actively running on all SharePoint servers provides a foundational layer of protection against known malware and can potentially detect suspicious activity related to the exploitation.

 

For organizations that cannot enable AMSI for any reason, Microsoft advises a more drastic but highly effective measure: disconnecting the SharePoint Server from the internet until a security update becomes available. This isolates the server from external attack vectors, completely preventing remote exploitation. While this might impact business operations, it offers the highest level of immediate protection.

 

For an added layer of security and enhanced post-exploit detection, users are also recommended to deploy Defender for Endpoint. This is a more advanced endpoint detection and response (EDR) solution that provides deep visibility into system activities, behavioral monitoring, and automated investigation capabilities. Defender for Endpoint can detect and block sophisticated post-exploitation activities, such as lateral movement, privilege escalation, and data exfiltration, even if the initial vulnerability was successfully exploited.

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an urgent alert regarding the active exploitation of CVE-2025-53770. CISA confirmed that the vulnerability enables “unauthenticated access to SharePoint systems and arbitrary code execution over the network.” This warning from a federal agency underscores the severe and widespread nature of the threat. Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA, stated: “CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action.”

 

He further added, “Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.” This highlights the collaborative effort between government cybersecurity agencies and technology providers to address critical threats rapidly. Butera emphasized the importance of this operational collaboration: “This is an important example of operational collaboration in action for homeland and national security. This type of rapid identification and response to cyber threats is possible because of the trust and cooperation that has been built between the research community, technology providers, and CISA.”

 

As of the current reporting, Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to specifically reflect active exploitation of the variant CVE-2025-53770. This delay in updating existing advisories can sometimes cause confusion for security teams trying to track and respond to threats based on official vendor guidance. Continued monitoring of Microsoft’s official security advisories is essential for organizations relying on SharePoint Server. The rapid response from both Microsoft and CISA, coupled with detailed insights from cybersecurity firms, provides critical information for organizations to defend against this severe zero-day threat.