A significant security vulnerability has been discovered in Microsoft SharePoint Server, now exploited in a widespread campaign. This zero-day flaw, identified as CVE-2025-53770 with a critical CVSS score of 9.8, is a variant of another vulnerability, CVE-2025-49706, which had a lower CVSS score of 6.3. The initial spoofing bug was addressed by Microsoft during its July 2025 Patch Tuesday updates.
The vulnerability arises from the deserialization of untrusted data in on-premises Microsoft SharePoint Server, allowing unauthorized attackers to execute code remotely. On July 19, 2025, Microsoft released an advisory acknowledging the issue and stated that they are working on a comprehensive update to remedy the flaw. The discovery of this vulnerability is credited to Viettel Cyber Security, who reported it through Trend Micro's Zero Day Initiative (ZDI).
In a separate alert, Microsoft confirmed awareness of active attacks targeting on-premises SharePoint Server users. Importantly, SharePoint Online within Microsoft 365 remains unaffected by this vulnerability. Attackers are not merely injecting arbitrary code; they exploit the way SharePoint deserializes untrusted objects, enabling command execution even before user authentication occurs. Once inside the system, attackers can forge trusted payloads using stolen machine keys, allowing them to persist within the environment and move laterally, often camouflaging their activities to evade detection.
As an official patch is not yet available, Microsoft advises customers to enable Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender Antivirus on all SharePoint servers. Notably, AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For organizations unable to activate AMSI, it is recommended to disconnect the SharePoint Server from the internet until a security update can be deployed. Furthermore, utilizing Defender for Endpoint is encouraged to detect and block any post-exploitation activities.
The disclosure of CVE-2025-53770 comes at a time when Eye Security and Palo Alto Networks Unit 42 have alerted about attacks chaining CVE-2025-49706 and another vulnerability, CVE-2025-49704 (with a CVSS score of 8.8), to facilitate arbitrary command execution on vulnerable instances. This exploit chain has been dubbed ToolShell. Given that CVE-2025-53770 is a variant of CVE-2025-49706, it is believed that these attacks are interconnected.
Eye Security reported that the mass exploitation identified leverages CVE-2025-49706 to POST a remote code execution payload that exploits CVE-2025-49704. They noted that adding _layouts/SignOut.aspx as an HTTP referer transforms CVE-2025-49706 into CVE-2025-53770. ZDI has classified CVE-2025-49706 as an authentication bypass vulnerability, resulting from how the application processes the HTTP Referer header provided to the ToolPane endpoint (/_layouts/15/ToolPane.aspx).
The malicious activities typically involve delivering ASPX payloads via PowerShell, which are then utilized to compromise the SharePoint server's MachineKey configuration—specifically the ValidationKey and DecryptionKey, thus ensuring persistent access. According to Eye Security, these keys are crucial for generating valid __VIEWSTATE payloads, which, if compromised, enable attackers to convert any authenticated SharePoint request into a remote code execution opportunity. As of now, more than 85 compromised SharePoint servers have been identified globally, impacting 29 organizations, including multinational corporations and government agencies.
Benjamin Harris, CEO of watchTowr, emphasized that __VIEWSTATE is a core mechanism in ASP.NET designed to store state information between requests, and it is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKey. With access to these keys, attackers can create forged __VIEWSTATE payloads that SharePoint will accept as valid, leading to seamless remote code execution. This tactic complicates remediation efforts, as a typical patch may not automatically rotate the stolen cryptographic secrets, leaving organizations vulnerable even after applying the patch.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding the active exploitation of CVE-2025-53770, which enables unauthorized access to SharePoint systems and arbitrary code execution over the network. CISA was informed of the exploitation by a trusted partner and has engaged Microsoft to take immediate action. Acting Executive Assistant Director for Cybersecurity, Chris Butera, highlighted the importance of rapid identification and response to such cyber threats, emphasizing the collaboration between the research community, technology providers, and CISA.
As of now, Microsoft has not updated its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect the ongoing active exploitation. We have reached out to Microsoft for further clarification and will provide updates as more information becomes available. This is a developing story, so please check back for more details.
