Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

Update 7/21/25: Added links to the security updates for Microsoft SharePoint 2019.

Critical zero-day vulnerabilities in Microsoft SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, have been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.

In May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a “ToolShell” attack demonstrated at Pwn2Own Berlin to achieve remote code execution.

While Microsoft patched both ToolShell flaws as part of the July Patch Tuesday, it is now warning that threat actors were able to bypass the fixes with new exploits.

These new vulnerabilities are tracked as CVE-2025-53770 (bypasses CVE-2025-49704) and CVE-2025-53771 (CVE-2025-49706), and are actively exploited attacks against on-premise SharePoint servers.

“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,” warns a new Microsoft blog post.

“These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.”

Microsoft has now released the following emergency updates for SharePoint that fix both of the zero-day flaws:

• The KB5002754 update for Microsoft SharePoint Server 2019.
• The KB5002768 update for Microsoft SharePoint Subscription Edition.
• The update for Microsoft SharePoint Enterprise Server 2016 has not been released yet.

However, the company is still working on a security update for Microsoft SharePoint 2016 and it should be released soon.

“Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706,” reads Microsoft’s updated CVE advisories.

For SharePoint servers that do not currently have a patch or are unable to apply them immediatly, Microsoft recommends that customers install the latest SharePoint security updates, enable AMSI integration in SharePoint, and deploy Defender AV on all SharePoint servers.

Microsoft AMSI (Antimalware Scan Interface) is a security feature that allows applications and services to pass potentially malicious content to an installed antivirus solution for real-time scanning. It’s commonly used to inspect scripts and code in memory, helping detect and block obfuscated or dynamic threats.

Microsoft says that enabling these mitigations will prevent unauthenticated attacks from exploiting the flaw.

The company notes that this feature is enabled by default since the September 2023 security updates for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

Microsoft also suggests that customers rotate their SharePoint Server ASP.NET machine keys after applying the security updates or enabling AMSI, as doing so will prevent the threat actors from executing commands on previously compromised services.

SharePoint admins can rotate machine keys using one of the two methods below:

Manually via PowerShell

To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet.

Manually via Central Admin

Trigger the Machine Key Rotation timer job by performing the following steps:

• Navigate to the Central Administration site.
• Go to Monitoring -> Review job definition.
• Search for Machine Key Rotation Job and select Run Now.
• After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.

If you cannot enable AMSI, Microsoft says that SharePoint servers should be disconnected from the internet until a security update is released.

To detect if a SharePoint server has been compromised, admins can check if the C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx exists.

Microsoft also shared the following Microsoft 365 Defender query that can be used to check for this file:

eviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

After publishing this article, CISA added the Microsoft SharePoint CVE-2025-53770 vulnerability to its Known Exploited Vulnerability catalog, giving federal agencies one day to apply patches when they are released.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” CISA’s Acting Executive Assistant Director for Cybersecurity Chris Butera told BleepingComputer.

“Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

BleepingComputer contacted Microsoft last night to ask when exploitation had started but was told they have nothing further to share other than their blog post.

Further IOCs and technical information from other cybersecurity firms are shared below.

Exploited in RCE attacks

The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 29 organizations have already been compromised by the attacks.

Eye Security first observed attacks on July 18th after receiving an alert from one of their customers’ EDR agents that a suspicious process tied to an uploaded malicious .aspx file was launched.

IIS logs showed that a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referer of /_layouts/SignOut.aspx.

Upon investigation, it was determined that threat actors have weaponized the Pwn2Own ToolShell vulnerability soon after CODE WHITE GmbH replicated the exploit and Soroush Dalili shared further technical details about the web referer last week.

“We have reproduced ‘ToolShell’, the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg  to pop SharePoint at #Pwn2Own Berlin 2025, it’s really just one request!,” posted CODE WHITE GmbH to X. 

As part of the exploitation, attackers upload a file named “spinstall0.aspx,” which is used to steal the Microsoft SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey.

“Now, with the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers appear to extract the ValidationKey directly from memory or configuration,” explains Eye Security.

“Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads using a tool called ysoserial as shown in the example below.

“Using ysoserial the attacker can generate it’s own valid SharePoint tokens for RCE.”

ViewState is used by ASP.NET, which powers SharePoint, to maintain the state of web controls between web requests. However, if it’s not adequately protected or if the server’s ValidationKey is exposed,  the ViewState can be tampered with to inject malicious code that executes on the server when deserialized.

Eye Security CTO Piet​​​​ Kerkhofs told BleepingComputer that they have conducted scans of the internet for compromised servers and found 54 organizations impacted in the attacks.

“Although we identified 85+ compromised SharePoint Servers worldwide, we were able to cluster them down to the organizations affected,” Kerkhofs told BleepingComputer.

Of those 54 organisations, Eye Security says there are several multi-nationals and national government entities who were breached.

Some of these include a private university in California state, a private energy sector operator in California state, a federal government health org, a private AI tech company, a private Fintech company in New York state, and a state government org in Florida.

Kerkhofs also told BleepingComputer that some firewall vendors are successfully blocking CVE-2025-49704 payloads attached to HTTP POST requests. However, Kerkhofs warned that if the attackers can bypass the signature, many more SharePoint servers will likely be hit.

The following IOCs were shared to help defenders determine if their SharePoint servers were compromised:

• Exploitation from IP address 107.191.58[.]76 seen by Eye Security on July 18th
• Exploitation from IP address 104.238.159[.]149 seen by Eye Security on July 19th.
• Exploitation from IP address 96.9.125[.]147 seen by Palo Alto Networks.
• Creation of C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx file.
• IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx and a HTTP referer of _layouts/SignOut.aspx.

If the presence of any of these IOCs is detected in IIS logs or the file system, administrators should assume their server has been compromised and immediately take it offline.

Further investigations should be conducted to determine if the threat actors spread further to other devices.

This is a developing story and will be updated as new information becomes available.

Update 7/20/25 5:44 PM ET: Updated to up the count of breached organizations and that CISA is giving agencies one day to apply the upcoming security update.
Update 7/20/25 6:20 PM ET: Added examples of some of the orgs breached in the SharePoint attacks.
Update 7/20/25 7:12 PM ET: Added information that there are actually two zero-days exploited, both bypasses for Microsoft’s original fixes. Also added that the security update for SharePoint Subscription edition has been released.
Update 7/21/25 12:45 AM ET: Added the link to the Microsoft SharePoint 2019 security update.