Microsoft confirmed over the weekend that threat actors are actively exploiting two zero-day vulnerabilities in on-premises SharePoint servers, designated CVE-2025-53770 and CVE-2025-53771.
The attacks, dubbed “ToolShell” by security researchers, have compromised dozens of organizations globally since July 18, including U.S. federal agencies, universities, and energy companies.
The primary vulnerability, CVE-2025-53770, carries a critical CVSS score of 9.8 and enables unauthenticated remote code execution through unsafe deserialization of untrusted data.
The companion flaw, CVE-2025-53771 (CVSS 6.3), allows attackers to bypass authentication by manipulating HTTP headers, specifically crafting requests with forged Referer headers pointing to SharePoint’s sign-out page.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, requiring federal agencies to implement mitigations within 24 hours
Acting Executive Assistant Director Chris Butera confirmed CISA was alerted by a trusted partner and immediately coordinated with Microsoft.
“We’re witnessing an urgent and active threat,” warned Lotem Finkelstein, Director of Threat Intelligence at Check Point Research. “Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7.”
Security researchers estimate over 10,000 SharePoint servers worldwide remain vulnerable, with the highest concentrations in the United States, Netherlands, United Kingdom, and Canada.
Eye Security, which first disclosed the active exploitation, reported scanning more than 8,000 SharePoint servers globally and finding evidence of ongoing attacks in multiple waves.
The ToolShell exploit chain demonstrates sophisticated tactics, beginning with specially crafted POST requests to SharePoint’s vulnerable ToolPane.aspx endpoint.
Attackers manipulate the Referer header to bypass authentication, then upload malicious ASPX files typically named “spinstall0.aspx” to extract critical cryptographic keys from the server.
These stolen ValidationKeys and DecryptionKeys enable attackers to forge legitimate authentication tokens, maintaining persistent access even after patching.
The technique allows threat actors to execute PowerShell commands through SharePoint’s IIS worker process (w3wp.exe), often running under NT AUTHORITYIUSR privileges.
“The vulnerability fundamentally breaks SharePoint’s security model,” explained researchers at Strobes Security. “Once exploited, attackers can steal SharePoint’s cryptographic MachineKey configuration, granting persistent access indefinitely.”
Microsoft released emergency security updates on July 21 for SharePoint Server Subscription Edition (KB5002768) and SharePoint Server 2019 (KB5002754), with language pack updates also available. However, SharePoint Server 2016 remains vulnerable, with Microsoft working to develop comprehensive patches.
| Product | Security Update link |
| Microsoft SharePoint Server Subscription Edition | Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center |
| Microsoft SharePoint Server 2019 | Download Security Update for Microsoft SharePoint 2019 (KB5002754) from Official Microsoft Download CenterSecurity Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753) |
| Microsoft SharePoint Server 2016 | Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760)Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759) |
To mitigate potential attacks, customers should:
Microsoft Defender Unified Advanced Hunting query
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49706","CVE-2025-53770")
To Check for Successful exploitation via file creation
DeviceFileEvents
| where FolderPath has_any (@'microsoft sharedWeb Server Extensions16TEMPLATELAYOUTS', @'microsoft sharedWeb Server Extensions15TEMPLATELAYOUTS')
| where FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
To check for process creation
DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode has_any ("spinstall0", @'C:PROGRA~1COMMON~1MICROS~1WEBSER~115TEMPLATELAYOUTS', @'C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTS')
The rapid progression from proof-of-concept demonstration to mass exploitation occurring within just 72 hours highlights the evolving threat landscape where zero-day vulnerabilities can be weaponized almost instantly. Organizations are urged to treat this as an emergency-priority incident requiring immediate action to prevent compromise.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day appeared first on Cyber Security News.
Bluesky Social Jay Graber speaks on stage during 2025 Fast Company's Most Innovative Companies Summit…
You can stream Daredevil Born Again’s new season when it arrives on Hulu on March…
We've been busy testing many new MacBooks, ranging from the new $1,099 M5 MacBook Air,…
A 63-year-old woman, Jeanene Wasson, died in a house fire in Somonauk on Sunday due…
Banks have always had a reputation. Careful. Procedural. Not exactly the first to jump into…
From transaction monitoring and sanctions screening to fraud detection and payment controls, AI-driven systems now…
This website uses cookies.