Updated on 24 July 2025 to add links to external references and add guidance around applying security updates published by Microsoft.
Overview:
On July 18, 2025, Eye Security identified large-scale exploitation of a zero-day SharePoint vulnerability chain that enables unauthenticated remote code execution (RCE). Within hours, attackers were actively compromising self-hosted SharePoint servers worldwide, deploying malicious .aspx payloads that extract cryptographic keys and enable full server compromise.
Microsoft has since assigned the vulnerabilities CVE-2025-53770 and CVE-2025-53771 and confirmed active exploitation in the wild.
If you run self-hosted SharePoint, immediate action is required. Patching alone is insufficient. You must also rotate your ASP.NET Machine Keys and should perform a compromise assessment to ensure that attackers do not have a persistent foothold in your environment.
What Happened:
- On July 18, 2025, Eye Security’s SOC detected suspicious activity on a client’s SharePoint server. Analysis revealed a webshell dropped via a previously unknown exploitation chain.
- Attackers leveraged ToolShell, a chain of vulnerabilities originally demonstrated at Pwn2Own Berlin 2025 (CVE-2025-49706 & CVE-2025-49704), now weaponized in the wild.
- Two distinct attack waves were observed on July 18 (18:00 UTC) and July 19 (07:30 UTC), targeting thousands of exposed SharePoint servers.
- The exploit enables attackers to bypass authentication and inject malicious ViewState payloads (signed with stolen Machine Keys), granting arbitrary command execution on the SharePoint server.
Why it’s dangerous:
- Attackers can exfiltrate cryptographic material (ValidationKeys) to craft future malicious requests even after servers are patched.
- A successful compromise can lead to data theft, credential harvesting, and lateral movement into connected Microsoft 365 services (e.g., Teams, OneDrive, Outlook).
Risk Analysis:
- Who is at risk? Any organization running unpatched on-premises SharePoint servers accessible over the internet.
- Business impact:
- Data exposure: Attackers gain full access to SharePoint content and underlying system files.
- Persistent compromise: Stolen cryptographic keys can be reused to impersonate services and bypass future security measures.
- Regulatory risks: Breaches may trigger reportable incidents under regulatory or contractual requirements (e.g., HIPAA, PCI DSS, CJIS).
- Why patching isn’t enough: Without rotating ASP.NET Machine Keys, previously stolen keys remain valid and can be abused indefinitely.
Tactical Guidance (What to Do Now):
- Mitigate Immediately:
- Apply Microsoft’s mitigations for CVE-2025-53770 and CVE-2025-53771, including applying the relevant security updates for your SharePoint version (Subscription Edition, 2016, or 2019). (See Microsoft Guidance)
- Rotate ASP.NET Machine Keys – Use PowerShell to generate new keys:
Update-SPMachineKey -WebApplication <SPWebApplicationPipeBind>
- Then restart IIS:
iisreset.exe
- Check for Compromise
- Look for the following Indicators of Compromise (IOCs) in SIEMs, IIS Logs, or other monitoring and logging tools for your SharePoint server(s):
/_layouts/15/spinstall0.aspx
(crypto-dumping payload)- SHA256 hash:
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- Malicious POST path:
/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
- Suspicious Referer:
/_layouts/SignOut.aspx
- Source IPs:
-
191.58[.]76
(July 18 wave) -
238.159[.]149
(July 19 wave)
-
- Search IIS logs for the User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
- Look for the following Indicators of Compromise (IOCs) in SIEMs, IIS Logs, or other monitoring and logging tools for your SharePoint server(s):
- Engage Incident Response – If compromise is suspected, isolate the affected server, declare an incident and initiate forensic investigation immediately to determine the impact and conduct proper remediation.
Assura’s Recommendations
This is a rapidly evolving threat with active exploitation, and organizations should assume they are targets if they run on-prem SharePoint.
What Assura’s SOC is Doing for Our Clients
- Providing 24/7 monitoring and detection for webshell activity and abnormal PowerShell executions.
- Hunting for evidence of exploitation across each affected client’s environment.
- Actively searching for known IOCs, adding new ones to our Threat Intelligence Platform, and retrospectively searching for IOCs as they emerge.
- Alerting for the POST path used to trigger the exploit and push Sharpyshell related to the Microsoft CVEs.
- Actively keeping abreast of developments related to this rapidly emerging situation.
If you lack 24/7 monitoring or suspect you have been compromised, contact Assura immediately to ensure your environment is protected.