Microsoft SharePoint Server is currently under widespread cyberattack following the discovery of a critical zero-day vulnerability. The flaw allows attackers to infiltrate systems without authentication. Recent reports confirm that over 85 servers from 29 organizations—ranging from multinational corporations to government entities—have already been compromised with malicious code.
CVE-2025-53770: What You Need to Know
The vulnerability has been assigned the ID CVE-2025-53770 and received a CVSS score of 9.8, classifying it as Critical. It is a Remote Code Execution (RCE) vulnerability that allows attackers to send commands to SharePoint servers over the network without any form of authentication.
Microsoft has explained that this zero-day is a variant of CVE-2025-49706, which had been previously patched. However, CVE-2025-53770 introduces more sophisticated and dangerous exploitation methods.
Hard-to-Detect Attack Methods
What makes this vulnerability especially concerning is the abuse of ASP.NET’s __VIEWSTATE mechanism, which normally stores the state of web pages between user requests. Threat actors exploit this to inject malicious code.
Once inside the system, attackers steal the MachineKey—which includes the ValidationKey and DecryptionKey—and use it to craft forged __VIEWSTATE payloads. Since SharePoint sees these payloads as legitimate, attackers can execute further commands without needing elevated privileges.
“Once attackers get the keys, they can craft __VIEWSTATE payloads that look completely valid. Even if you patch the system, those stolen keys can still be used to strike again.” — Benjamin Harris, CEO of watchTowr
“ToolShell” and Chain Exploits
Reports from Eye Security and Palo Alto Networks Unit 42 indicate that attackers are chaining this vulnerability with others in a campaign dubbed “ToolShell.” This approach enhances persistence and stealth.
The associated vulnerabilities used in combination are:
- CVE-2025-49706: An authentication bypass flaw
- CVE-2025-49704: A code injection vulnerability
Attackers use PowerShell to send ASPX payloads, steal the MachineKey, and achieve ongoing access to the system.
Confirmed Global Exploitation
Eye Security has confirmed that this exploit campaign has affected more than 85 servers globally, spanning private corporations and public agencies. Once inside, attackers conduct lateral movement quickly and use standard SharePoint behavior to evade detection.
Microsoft’s Mitigation Recommendations
While an official patch is still in development, Microsoft has issued interim guidance to mitigate risks:
- Enable AMSI Integration (Antimalware Scan Interface) on SharePoint Servers. This feature is already included in the September 2023 updates for SharePoint Server 2016, 2019, and Subscription Edition (Version 23H2).
- Install Microsoft Defender Antivirus on all SharePoint Servers.
- Deploy Microsoft Defender for Endpoint to detect post-exploitation activity.
- If AMSI cannot be enabled, disconnect the SharePoint Server from the internet until a patch is available.
U.S. CISA Issues Public Warning and Joins Forces with Microsoft
The Cybersecurity and Infrastructure Security Agency (CISA) has publicly confirmed active exploitation of CVE-2025-53770 and announced collaboration with Microsoft to alert potentially affected organizations.
“CISA was made aware of the exploitation by a trusted partner and we are working with Microsoft to notify impacted entities directly,” — Chris Butera, Acting Executive Assistant Director for Cybersecurity
Don't Wait Until It's Too Late
CVE-2025-53770 is not just an ordinary technical flaw — it’s a gateway to full control over SharePoint systems without requiring authentication. Even worse, it enables attackers to stay hidden and mimic legitimate user behavior with alarming precision.
If your organization is still using an on-premises SharePoint Server, now is the time to review your systems and take immediate action.
_____________________________________________________________________________________________________________________________________________________________________
Source: The Hacker News – Critical Microsoft SharePoint Flaw