A critical SharePoint vulnerability, identified under the CVE-2025-53770 code, is subject to massive exploitation on a global scale, endangering on-premises SharePoint servers. With a severity score of 9.8 out of 10, this flaw allows unauthenticated attackers to execute code remotely, compromising sensitive data and critical infrastructure.
- A zero-day flaw with serious consequences
- Massive and rapid exploitation
- Consequences for organizations
- Immediate protection measures
- 1. Apply available patches
- 2. Renew cryptographic keys
- 3. Disconnect exposed servers
- 4. Monitor indicators of compromise
- 5. Deploy detection solutions
- A challenge for modern cybersecurity
A zero-day flaw with serious consequences
The SharePoint vulnerability CVE-2025-53770, recently discovered, exploits a weakness in the deserialization of untrusted data on on-premises SharePoint servers. This flaw allows attackers to access exposed systems without authentication via the Internet, giving them complete control over files, internal configurations, and arbitrary code execution. According to Microsoft, this vulnerability does not affect cloud services such as SharePoint Online or Microsoft 365, but only on-premises installations.
Furthermore, attackers are using this flaw in an attack dubbed ToolShell, which deploys backdoors and extracts cryptographic keys, such as ASP.NET MachineKeys, enabling persistent access even after patches are applied. This ability to maintain covert access makes the threat particularly dangerous.
Massive and rapid exploitation
The first attacks were detected as early as July 18, 2025, with exploitation waves reported by the security firm Eye Security. By scanning over 8,000 publicly accessible SharePoint servers, researchers identified dozens of compromised systems, including government organizations, universities, energy companies, and U.S. federal agencies.
Furthermore, the SharePoint vulnerability is a variant of CVE-2025-49706, partially patched during Microsoft’s July 2025 update. However, attackers have bypassed these fixes, exploiting a new attack chain presented at the Pwn2Own competition in Berlin in May 2025. This rapid adaptation illustrates the sophistication of cybercriminals in the face of traditional security measures.
Consequences for organizations
The impact of this SharePoint vulnerability is considerable. Attackers can:
- Access sensitive data: Compromised servers allow exfiltration of files, internal configurations, and authentication tokens.
- Deploy backdoors: The ToolShell backdoor guarantees continuous access, even after patches are applied, if cryptographic keys are not renewed.
- Extend attacks: Stolen tokens provide privileged access to other connected systems, such as Teams or OneDrive, amplifying potential damage.
As a result, organizations in critical sectors, such as healthcare, education, and government, are particularly vulnerable. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its catalog of exploited vulnerabilities, requiring U.S. federal agencies to take immediate action by July 21, 2025.
Immediate protection measures
Faced with this threat, Microsoft and cybersecurity experts recommend several urgent actions:
1. Apply available patches
Microsoft has released emergency updates for SharePoint Subscription Edition and SharePoint Server 2019 (CVE-2025-53770 and CVE-2025-53771). Users of SharePoint Server 2016 should enable the Antimalware Scan Interface (AMSI) while awaiting a patch.
2. Renew cryptographic keys
Organizations must renew the ASP.NET MachineKeys on their SharePoint servers and restart the IIS server to prevent persistent access. Microsoft provides instructions via the PowerShell command Update-SPMachineKey.
3. Disconnect exposed servers
If patching or enabling AMSI is not possible, it is advised to disconnect SharePoint servers from the Internet to limit risks.
4. Monitor indicators of compromise
Administrators should check for suspicious files, such as spinstall0.aspx, and monitor IIS logs for POST requests to /layouts/15/ToolPane.aspx. Suspicious IP addresses include 107.191.58.76, 104.238.159.149, and 96.9.125.147.
5. Deploy detection solutions
The use of Microsoft Defender for Endpoint or other advanced detection solutions can help identify and block post-exploitation activities.
A challenge for modern cybersecurity
This SharePoint vulnerability highlights the limitations of traditional security approaches, particularly the assumption that authenticated users are trustworthy. As Rik Ferguson of Forescout pointed out, perimeter trust models are obsolete in the face of modern attackers.
Furthermore, the rapid exploitation of this flaw, shortly after its demonstration at Pwn2Own, shows the importance of responsiveness in zero-day vulnerability management. Solutions based on artificial intelligence, capable of analyzing abnormal behaviors in real-time, could play a key role in preventing such attacks in the future.
The SharePoint vulnerability CVE-2025-53770 represents a critical threat to organizations using on-premises SharePoint servers. Its massive exploitation, combined with attackers’ ability to bypass initial patches, requires an immediate and coordinated response. By applying patches, renewing cryptographic keys, and strengthening monitoring, organizations can limit damage. However, this incident reminds us that cybersecurity requires constant vigilance and rapid adaptation to emerging threats.