In early July 2025, cybersecurity researchers identified a critical zero-day vulnerability in Microsoft’s SharePoint Server, designated as CVE-2025-53770. This flaw has been actively exploited by malicious actors to infiltrate systems, exfiltrate cryptographic keys, and establish persistent access within compromised networks.
Discovery and Initial Exploitation
The vulnerability was first observed in exploitation attempts targeting a major Western government on July 7, 2025. By July 18 and 19, the attacks had intensified, affecting sectors such as government, telecommunications, and software across North America and Western Europe. Check Point Research identified that the exploitation efforts originated from three distinct IP addresses: 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147. Notably, one of these IP addresses had previously been associated with the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) appliances.
Technical Details of the Vulnerability
CVE-2025-53770 is a remote code execution flaw in SharePoint Server that, when exploited, allows attackers to execute arbitrary code on the affected server. This vulnerability is a variant of earlier flaws (CVE-2025-49704 and CVE-2025-49706) that were patched by Microsoft in early July 2025. The exploitation chain, known as ToolShell, involves chaining CVE-2025-53770 with CVE-2025-49706 to gain initial access and escalate privileges within the system.
The attack methodology involves deploying malicious ASP.NET web shells that programmatically extract sensitive cryptographic keys from the SharePoint server. These stolen keys are then used to craft valid, signed __VIEWSTATE payloads, enabling attackers to execute commands and maintain persistent access without detection.
Scope and Impact
The exploitation of this vulnerability has been widespread, with approximately 100 organizations compromised, including government entities, industrial firms, banks, healthcare providers, and auditors. The majority of victims are located in the United States and Germany. The UK’s National Cyber Security Centre (NCSC) has also identified a limited number of UK-based victims.
The attacks have primarily targeted on-premises SharePoint servers, which are widely used for internal document management and collaboration. SharePoint Online, the cloud-based version within Microsoft 365, remains unaffected.
Microsoft’s Response and Mitigation Measures
In response to the active exploitation, Microsoft has released security updates to address the vulnerabilities. The company has urged affected customers to apply the latest security updates promptly and ensure proper configuration of the Antimalware Scan Interface (AMSI). Enabling AMSI integration and deploying Defender Antivirus on all SharePoint servers can help prevent exploitation attempts.
For organizations unable to enable AMSI, Microsoft recommends removing internet access from the SharePoint server to mitigate the risk. Additionally, rotating ASP.NET machine keys after patching is crucial to invalidate any stolen keys and prevent unauthorized access.
Recommendations for Affected Organizations
Organizations that have been compromised or suspect exploitation should take immediate action:
– Isolate Compromised Servers: Disconnect affected servers from the network to prevent further exploitation.
– Renew Credentials and Secrets: Change all exposed credentials and cryptographic materials to invalidate any stolen by attackers.
– Engage Cybersecurity Experts: Seek professional incident response services to assess the extent of the breach and implement remediation measures.
– Apply Security Updates: Ensure all SharePoint servers are updated with the latest security patches provided by Microsoft.
– Enable AMSI and Defender Antivirus: Configure AMSI integration and deploy Defender Antivirus to detect and block exploitation attempts.
Conclusion
The exploitation of the CVE-2025-53770 vulnerability in Microsoft SharePoint Server underscores the critical importance of timely patching and robust security configurations. Organizations must remain vigilant, apply security updates promptly, and implement recommended mitigations to protect against such sophisticated cyber threats.
