SharePoint Under Siege: New Zero-Day (CVE-2025-53770) Actively Compromises 100+ Global Organizations
A few days ago, we reported on the critical zero-day vulnerability CVE-2025-53770 in Microsoft SharePoint Server, an enhanced iteration of the previously identified flaw CVE-2025-49706. At the time, it was known that the issue involved the deserialization of untrusted data, enabling pre-authentication arbitrary code execution, and that attackers were actively exploiting it against more than 85 servers. The situation has since escalated dramatically—the scale of the hacking campaign has proven far more extensive than initially believed.
It has now been confirmed that at least 100 organizations have been compromised, including multinational corporations and government institutions. This information comes from Eye Security, which first identified signs of the attack in a client environment, and the nonprofit Shadowserver Foundation, which conducted broad network scans. Their data indicates a widespread impact, with victims primarily located in the United States and Germany, though the geographical reach extends much further.
The attack leverages a zero-day vulnerability in on-premises SharePoint Server deployments, allowing adversaries to implant a backdoor and establish persistent access within the victim’s network. According to Eye Security, once inside, the attackers exfiltrate cryptographic keys—specifically MachineKey values used for validation and encryption—which are then used to forge legitimate traffic. As a result, malicious requests are treated as valid by the system, and the attack can persist even after patches are applied, rendering conventional defenses largely ineffective.
The report emphasizes that the exploit is deployed prior to authentication checks, after which PowerShell scripts and malicious ASPX files are used to extract sensitive parameters directly from memory. This enables attackers to move laterally across the network with remarkable speed and execute arbitrary code without the need for repeated intrusion.
Shadowserver estimates that up to 9,000 SharePoint servers currently exposed to the internet may be at risk. Potential targets include industrial firms, financial institutions, auditors, healthcare providers, and governmental bodies. A spokesperson from the UK-based security firm PwnDefend stated that the crisis demands more than just the application of patches—it necessitates a comprehensive system audit, as the mere presence of the vulnerability may already imply covert compromise.
Microsoft has confirmed the attacks, issued patches, and urged immediate implementation. However, the company also warned that applying the standard fixes alone may not neutralize the threat if attackers have already obtained sensitive data. As an interim measure, organizations are advised to enable the Antimalware Scan Interface (AMSI), deploy Microsoft Defender, and, if necessary, isolate affected servers from the internet entirely.
Meanwhile, security experts at Eye Security and Palo Alto Networks continue to track a chain of attacks in which CVE-2025-49706 is being paired with another vulnerability, CVE-2025-49704. The combination enables attackers to execute commands on the server with minimal alteration to requests. It has been discovered that simply specifying the path “_layouts/SignOut.aspx” in the Referer header transforms CVE-2025-49706 into a fully weaponized version of CVE-2025-53770—a technique now being employed in campaigns worldwide.
The identity of the threat actors remains unknown. However, based on its global traffic visibility, Google has linked some of the activity to a hacker group believed to be operating from China. As before, representatives from the Chinese embassy have declined to comment. The FBI and the UK’s National Cyber Security Centre have confirmed that they are monitoring the situation and coordinating with both public and private sector partners to assess the damage.
Given the severity of the threat, organizations using SharePoint Server are urged not only to apply patches without delay but also to reevaluate their security posture. Simply installing updates is no longer sufficient—if a system has already been compromised, it demands a thorough forensic investigation and, in some cases, complete isolation of affected infrastructure.
