SharePoint zero day under mass attack: Microsoft scrambles to patch CVE-2025-53770.

UPDATED Monday 8:17am: Redmond has a patch ready and updated guidance.

A zero day vulnerability in on-premises SharePoint instances is being actively exploited in the wild – and Microsoft is scrambling to ready a patch. 

The SharePoint zero day has been allocated CVE-2025-53770 (CVSS 9.8).

Over 85 instances had been breached including “big companies and large government bodies across the world,” said cybersecurity firm Eye Security, one of the first to identify exploitation in the wild, on Sunday.

On-prem SharePoint (2016, 2019, or Subscription Edition) exposed to the internet is in the blast radius. The attackers are stealing SharePoint MachineKeys. (If you patch but don't rotate your keys, they're still in your box.)

Defenders should look out for:

• POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Creation of spinstall0.aspx
• IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147

(Both IPs and payloads will no doubt evolve rapidly so this is bare minimum.)

CTO Piet Kerkhofs told The Stack late Sunday: "We identified now 85+ compromised SharePoint Servers worldwide, we were able to cluster them down to the organizations affected. When clustered, we can confirm at least 29 organisations have been fallen victim. 

"Of those 29 organisations, there are several multi-national, national government entities and banks. Geo mainly based in US, German, France & Australia. The rest is scattered across Europe (Netherlands/Switserland/Sweden/and more), Asia (Oman/UAE/Saudia Arabia and more) and Canada."

SharePoint is widely used for file sharing and enterprise collaboration and can be a goldmine for attachers.

“We have outlined mitigations and detections in our blog. Our team is working urgently to release a security update and will share more details as they become available” Microsoft said on Saturday (July 19.) By Sunday it had pushed a patch live and updated guidance.

SharePoint zero day CVE-2025-53770

watchTowr CEO Benjamin Harris commented: Attackers are deploying persistent backdoors, and notably, are "taking a more sophisticated route" than usual: the backdoor retrieves SharePoint's internal cryptographic keys – specifically the MachineKey used to secure the __VIEWSTATE parameter.

"__VIEWSTATE is a core mechanism in ASP.NET that stores state information between requests. It is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKey. With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid – enabling seamless remote code execution.

"This approach makes remediation particularly difficult – a typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch. In this case, Microsoft will likely need to recommend additional steps to remediate the vulnerability and any compromise post-response."

The zero day appears to be a variation of a SharePoint exploit demonstrated by @_l0gg at the Pwn2Own competition in Berlin in May.

That exploit chain had been described as “ToolShell” and chained two earlier SharePoint CVEs, allocated CVE-2025-49706 and CVE-2025-49704.

Microsoft said the attacks are “exploiting a variant of CVE-2025-49706” – a novel enough variant that an entirely new patch and CVE are needed. 

Germany’s Code White GmbH security firm said on July 14 that it had reproduced the “unauthenticated exploit chain” for the two bugs.

See also - Microsoft CISO Igor Tsyganskiy: Our defense posture is improving

Palo Alto Networks on July 19 said that it had seen attacks exploiting what it claimed was the same ToolShell attack chain globally. This may, in fact, have been exploits of the new SharePoint zero day, i.e. CVE-2025-53770. 

The security firm said that attackers were:

• Dropping malicious ASPX payloads via PowerShell
• Stealing machine keys to maintain persistent access
• Targeting organizations worldwide

Some 9,000 SharePoint instances are exposed to the internet. 

(This scan by ShadowServer does not filter for vulnerability.)

The Hague-based Eye Security on July 19 said that it had responded to incidents of exploitation in the wild – all of which involved the upload of a malicious .aspx file (“A classic web shell, obfuscated code in a custom path, designed to allow remote command execution via HTTP…”) it said.

The sole purpose of the .aspx file is to “ extract and leak cryptographic secrets from the SharePoint server using a simple GET request” it added.

Microsoft urged customers to mitigate while it readies a patch. 

See also: Microsoft Graph API abuse seen in the wild again

It told users to “configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers…AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.” Details on how to enable AMSI integration are here.

If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available. - MSFT

Once crypto keys are leaked, “the attacker can craft fully valid, signed __VIEWSTATE payloads using a tool called ysoserial,” said Eye Security. 

“Using ysoserial the attacker can generate it’s own valid SharePoint tokens for RCE. These payloads can embed any malicious commands and are accepted by the server as trusted input, completing the RCE chain without requiring credentials. This mirrors… design weakness exploited in 2021, but now packaged into a modern zero-day chain with automatic shell drop, full persistence, and zero authentication,” Eye Security added. More to follow.