Updated: ACTIVE EXPLOITATION ALERT: Zero-Day Vulnerability Affecting Self-Hosted SharePoint Servers (CVE-2025-53770/53771)

Posted in: Resources » Cyber Heads-up

Updated on 24 July 2025 to add links to external references and add guidance around applying security updates published by Microsoft.

Overview:

On July 18, 2025, Eye Security identified large-scale exploitation of a zero-day SharePoint vulnerability chain that enables unauthenticated remote code execution (RCE). Within hours, attackers were actively compromising self-hosted SharePoint servers worldwide, deploying malicious .aspx payloads that extract cryptographic keys and enable full server compromise.

Microsoft has since assigned the vulnerabilities CVE-2025-53770 and CVE-2025-53771 and confirmed active exploitation in the wild.

If you run self-hosted SharePoint, immediate action is required. Patching alone is insufficient. You must also rotate your ASP.NET Machine Keys and should perform a compromise assessment to ensure that attackers do not have a persistent foothold in your environment.

What Happened:

  • On July 18, 2025, Eye Security’s SOC detected suspicious activity on a client’s SharePoint server. Analysis revealed a webshell dropped via a previously unknown exploitation chain.
  • Attackers leveraged ToolShell, a chain of vulnerabilities originally demonstrated at Pwn2Own Berlin 2025 (CVE-2025-49706 & CVE-2025-49704), now weaponized in the wild.
  • Two distinct attack waves were observed on July 18 (18:00 UTC) and July 19 (07:30 UTC), targeting thousands of exposed SharePoint servers.
  • The exploit enables attackers to bypass authentication and inject malicious ViewState payloads (signed with stolen Machine Keys), granting arbitrary command execution on the SharePoint server.

Why it’s dangerous:

  • Attackers can exfiltrate cryptographic material (ValidationKeys) to craft future malicious requests even after servers are patched.
  • A successful compromise can lead to data theft, credential harvesting, and lateral movement into connected Microsoft 365 services (e.g., Teams, OneDrive, Outlook).

Risk Analysis:

  • Who is at risk? Any organization running unpatched on-premises SharePoint servers accessible over the internet.
  • Business impact:
    • Data exposure: Attackers gain full access to SharePoint content and underlying system files.
    • Persistent compromise: Stolen cryptographic keys can be reused to impersonate services and bypass future security measures.
    • Regulatory risks: Breaches may trigger reportable incidents under regulatory  or contractual requirements (e.g., HIPAA, PCI DSS, CJIS).
  • Why patching isn’t enough: Without rotating ASP.NET Machine Keys, previously stolen keys remain valid and can be abused indefinitely.

Tactical Guidance (What to Do Now):

  • Mitigate Immediately:
    • Apply Microsoft’s mitigations for CVE-2025-53770 and CVE-2025-53771, including applying the relevant security updates for your SharePoint version (Subscription Edition, 2016, or 2019). (See Microsoft Guidance)
    • Rotate ASP.NET Machine Keys – Use PowerShell to generate new keys: Update-SPMachineKey -WebApplication <SPWebApplicationPipeBind>
    • Then restart IIS: iisreset.exe
  • Check for Compromise
    • Look for the following Indicators of Compromise (IOCs) in SIEMs, IIS Logs, or other monitoring and logging tools for your SharePoint server(s):
      • /_layouts/15/spinstall0.aspx (crypto-dumping payload)
      • SHA256 hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
      • Malicious POST path: /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
    • Suspicious Referer: /_layouts/SignOut.aspx
    • Source IPs:
      • 191.58[.]76 (July 18 wave)
      • 238.159[.]149 (July 19 wave)
    • Search IIS logs for the User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
  • Engage Incident Response – If compromise is suspected, isolate the affected server, declare an incident and initiate forensic investigation immediately to determine the impact and conduct proper remediation.

Assura’s Recommendations

This is a rapidly evolving threat with active exploitation, and organizations should assume they are targets if they run on-prem SharePoint.

What Assura’s SOC is Doing for Our Clients

  • Providing 24/7 monitoring and detection for webshell activity and abnormal PowerShell executions.
  • Hunting for evidence of exploitation across each affected client’s environment.
  • Actively searching for known IOCs, adding new ones to our Threat Intelligence Platform, and retrospectively searching for IOCs as they emerge.
  • Alerting for the POST path used to trigger the exploit and push Sharpyshell related to the Microsoft CVEs.
  • Actively keeping abreast of developments related to this rapidly emerging situation.

If you lack 24/7 monitoring or suspect you have been compromised, contact Assura immediately to ensure your environment is protected.

External References