A severe unpatched vulnerability in Microsoft SharePoint Server is being actively weaponized in the wild, enabling attackers to execute arbitrary code on vulnerable systems. Tracked as CVE-2025-53770, this zero-day flaw represents a variant of CVE-2025-49706, one half of the "ToolShell" exploit chain demonstrated at Pwn2Own Berlin in May and patched by Microsoft in July. Microsoft has confirmed active exploitation targeting on-premises SharePoint Server customers, warning that no security update is currently available.

The Vulnerability and Exploitation Chain

The flaw allows unauthenticated attackers to achieve Remote Code Execution (RCE). Security researchers Eye Security first detected attacks on July 18th. Threat actors are exploiting the vulnerability to upload a malicious ASPX file (spinstall0.aspx) to the SharePoint server. This file is designed to steal the server's critical MachineKey configuration, specifically the ValidationKey and DecryptionKey.

"Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads... for RCE," explains Eye Security.

Armed with these keys, attackers use tools like ysoserial to forge valid SharePoint __VIEWSTATE tokens. These tokens are deserialized by the ASP.NET framework (underpinning SharePoint), allowing the attacker's malicious code to execute on the server with SYSTEM privileges.

Scope of the Attacks and Impact

Eye Security has identified at least 85 compromised SharePoint servers worldwide, clustered across 29 distinct organizations. Victims reportedly include multinational corporations and national government entities. The Dutch cybersecurity firm attributes the rapid weaponization to public technical details released after CODE WHITE GmbH successfully replicated the original ToolShell exploit:

"We have reproduced 'ToolShell', the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704... it's really just one request!" - CODE WHITE GmbH

Initial exploitation attempts have been observed originating from IP addresses 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147. IIS logs show POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with an HTTP Referer header of /_layouts/SignOut.aspx.

Mitigation and Detection: Critical Steps Now

With no patch available, Microsoft advises immediate implementation of the following mitigations:

  1. Enable AMSI Integration: Ensure the Antimalware Scan Interface (AMSI) is enabled in SharePoint. AMSI allows real-time scanning of scripts and code in memory by the installed antivirus solution. This is enabled by default since September 2023 updates for SharePoint Server 2016/2019 and Version 23H2 for Subscription Edition.
  2. Deploy Defender AV: Ensure Microsoft Defender Antivirus is installed and running on all SharePoint servers.

Microsoft states these steps will prevent unauthenticated exploitation attempts. Organizations unable to enable AMSI are advised to disconnect affected SharePoint servers from the internet immediately until a patch is released.

To detect potential compromise, administrators should:
* Check for the presence of the file: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx.
* Run the provided Microsoft 365 Defender Advanced Hunting query:

DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx" or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

Finding any Indicators of Compromise (IOCs) means administrators should assume a breach has occurred, isolate the server, and conduct a full investigation for lateral movement.

The Looming Shadow of Unpatched Critical Infrastructure

This zero-day exploit underscores the persistent danger facing complex, internet-exposed enterprise platforms like SharePoint. The rapid weaponization following public exploit details highlights how quickly vulnerabilities transition from theoretical to actively exploited in the hands of threat actors, especially when affecting widely used software. Organizations reliant on on-premises SharePoint must treat the recommended mitigations as an urgent operational imperative. The clock is ticking until a patch arrives, and defenders are currently operating with one hand tied behind their backs. The effectiveness of AMSI and Defender AV as a stopgap, and the ability of security teams to swiftly detect the tell-tale signs of compromise, will determine how many more servers fall victim before Microsoft can deliver a fix.

Source: Based on reporting from BleepingComputer (https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/) and analysis by Eye Security.