A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.
The zero-day flaw, known as CVE-2025-53770 (CVSS score: 9.8), is a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant in July 2025.
Microsoft stated that “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” in an advisory released on July 19, 2025.
The company is working on a comprehensive update to fix the issue, with credit going to Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).
Microsoft has warned of active attacks targeting on-premises SharePoint Server customers, while emphasizing that SharePoint Online in Microsoft 365 is not affected.
Until a patch is available, Microsoft recommends configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.
For added protection, users are advised to disconnect the SharePoint Server from the internet if AMSI integration is not possible, and deploy Defender for Endpoint to detect and block post-exploit activity.
Eye Security and Palo Alto Networks Unit 42 have raised concerns about attacks chaining CVE-2025-49706 and CVE-2025-49704, a code injection flaw in SharePoint, to enable arbitrary command execution on vulnerable instances.
The exploit chain has been named ToolShell.
Given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it is likely that these attacks are connected.
The malicious activity involves delivering ASPX payloads via PowerShell to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, for persistent access.
These keys are crucial for generating valid __VIEWSTATE payloads, turning any authenticated SharePoint request into a remote code execution opportunity.
Eye Security’s CTO Piet Kerkhofs warned of mass exploit waves, stating that adversaries are moving rapidly using this remote code execution.
Almost 75 organizations have been notified of breaches related to the malicious web shell on their SharePoint servers, including major companies and government bodies worldwide.
Microsoft has not updated its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. Further updates are pending.
(The story is developing. Please check back for more details.)
