A critical zero-day vulnerability, identified as CVE-2025-53770, has been discovered in Microsoft SharePoint, leading to widespread cyberattacks targeting on-premises servers globally. This flaw allows unauthenticated attackers to execute remote code, potentially compromising sensitive data and connected services.
Overview of the Vulnerability
CVE-2025-53770 is a variant of a previously patched vulnerability, CVE-2025-49706. It exploits the deserialization of untrusted data within SharePoint, enabling attackers to execute arbitrary code without authentication. This vulnerability affects on-premises versions of SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Notably, SharePoint Online, part of Microsoft 365, remains unaffected. ([msrc.microsoft.com](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/?utm_source=openai))
Scope and Impact
The exploitation of this vulnerability has been observed since at least July 18, 2025. Security firm Eye Security reported identifying dozens of compromised systems worldwide, with victims spanning government agencies, financial institutions, universities, and energy providers. The attackers deploy a malicious ASPX payload, spinstall0.aspx, which extracts cryptographic machine keys from SharePoint servers. With these keys, attackers can forge valid ViewState tokens, maintaining persistent access even after servers are patched. ([research.eye.security](https://research.eye.security/sharepoint-under-siege/?utm_source=openai))
According to data from Shodan, over 8,000 servers are potentially vulnerable, including those belonging to major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities. The widespread compromise poses serious risks, and experts recommend organizations act on the assumption of breach while reinforcing their overall security posture. ([reuters.com](https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-server-hack-likely-single-actor-thousands-firms-now-vulnerable-2025-07-21/?utm_source=openai))
Microsoft’s Response and Recommendations
Microsoft has acknowledged the vulnerability and is actively working on a security update. In the interim, the company recommends the following actions to mitigate the risk:
1. Enable AMSI Integration: Configure the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender Antivirus on all SharePoint servers. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. ([msrc.microsoft.com](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/?utm_source=openai))
2. Deploy Defender for Endpoint: Implement Microsoft Defender for Endpoint to detect and block post-exploit activity. ([msrc.microsoft.com](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/?utm_source=openai))
3. Disconnect Affected Servers: If enabling AMSI is not feasible, consider disconnecting the affected servers from the internet until a security update is available. ([msrc.microsoft.com](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/?utm_source=openai))
Additionally, organizations are advised to rotate SharePoint Server ASP.NET machine keys to prevent attackers from maintaining access through stolen cryptographic secrets. ([cyberdaily.au](https://www.cyberdaily.au/security/12398-acsc-circulates-act-now-alert-over-critical-microsoft-office-sharepoint-server-vulnerability?utm_source=openai))
Detection and Indicators of Compromise
Organizations should monitor for specific indicators of compromise, including:
– Unusual POST Requests: Monitor for POST requests to `/_layouts/15/ToolPane.aspx?DisplayMode=Edit`. ([cisa.gov](https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770?utm_source=openai))
– Suspicious IP Addresses: Scan for activity from IPs `107.191.58[.]76`, `104.238.159[.]149`, and `96.9.125[.]147`, particularly between July 18-19, 2025. ([cisa.gov](https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770?utm_source=openai))
– Presence of Malicious Files: Check for the presence of the spinstall0.aspx file on SharePoint servers, which is used to extract cryptographic secrets. ([research.eye.security](https://research.eye.security/sharepoint-under-siege/?utm_source=openai))
Broader Implications
The exploitation of CVE-2025-53770 underscores the persistent threat posed by zero-day vulnerabilities in widely used enterprise software. The ability of attackers to gain unauthorized access to critical systems highlights the importance of proactive security measures, timely patching, and comprehensive monitoring.
Organizations are urged to assess their SharePoint deployments, implement the recommended mitigations, and remain vigilant for signs of compromise. Collaboration with cybersecurity agencies and adherence to best practices are essential in mitigating the risks associated with such vulnerabilities.
Conclusion
The active exploitation of the CVE-2025-53770 vulnerability in Microsoft SharePoint serves as a stark reminder of the evolving cyber threat landscape. Organizations must take immediate action to protect their systems, data, and stakeholders from potential breaches. Staying informed and responsive to emerging threats is crucial in maintaining a robust cybersecurity posture.
