Critical SharePoint Zero-Day (CVE-2025-53770) Actively Exploited in the Wild
A critical vulnerability has been discovered in Microsoft SharePoint Server, now actively exploited as part of a widespread cyberattack campaign. The flaw, identified as CVE-2025-53770, carries a staggering severity score of 9.8 out of 10. It is considered an evolved variant of a previously patched issue—CVE-2025-49706—which was addressed in Microsoft’s July security update.
The vulnerability stems from the way SharePoint handles untrusted data: specifically, its deserialization mechanism enables unauthenticated remote code execution. Microsoft has confirmed that in-the-wild attacks are targeting on-premises deployments of SharePoint Server, though the cloud-based SharePoint Online remains unaffected.
Once attackers gain access, they extract cryptographic keys, allowing them to forge internal SharePoint data and masquerade as legitimate users. This obfuscation complicates detection and incident response. Eye Security reports that adversaries are leveraging PowerShell to deploy malicious ASPX scripts, enabling them to harvest MachineKey parameters—critical keys for validation and encryption of internal structures such as __VIEWSTATE.
Compromised keys enable attackers to craft counterfeit requests accepted by the server as authentic, paving the way for persistent remote code execution—even after standard security patches are applied. Since updates do not regenerate stolen secrets, compromised systems remain exposed despite being “patched.”
More than 85 compromised SharePoint servers have been identified across multiple countries. Victims include 29 organizations, spanning international corporations and governmental entities.
Microsoft has announced work on a comprehensive fix to eliminate the vulnerability and expressed gratitude to researchers at Viettel Cyber Security for identifying the flaw. As a temporary safeguard, administrators are advised to enable Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Microsoft Defender across all servers. Where AMSI cannot be activated, it is recommended to temporarily isolate affected servers from the internet. Additionally, Defender for Endpoint should be employed to detect and contain post-exploitation activity.
Meanwhile, researchers from Eye Security and Palo Alto Networks have uncovered a chained attack scenario in which CVE-2025-49706 is combined with another flaw—CVE-2025-49704—to achieve arbitrary command execution. This technique, dubbed ToolShell, exploits a subtle manipulation of the HTTP Referer header, inserting “_layouts/SignOut.aspx” to escalate CVE-2025-49706 into its more dangerous incarnation: CVE-2025-53770.
Although Microsoft has not yet revised the official advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation, security experts sound the alarm: the campaign is ongoing and escalating. According to Eye Security’s CTO, Piet Kerkhofs, attackers are moving laterally within networks at alarming speed, wielding the vulnerability as a primary battering ram.
