A dangerous zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is currently being weaponized by threat actors. With a CVSS score of 9.8, this flaw allows unauthenticated attackers to remotely execute code on vulnerable SharePoint servers. Microsoft has confirmed the active exploitation of this flaw in a campaign that has already compromised more than 85 servers worldwide.
What is CVE-2025-53770 and why is it critical?
CVE-2025-53770 is a variant of CVE-2025-49704, a previously patched remote code execution bug. The vulnerability stems from the deserialization of untrusted data in on-premises Microsoft SharePoint Servers. This allows an attacker to execute commands on the server before authentication, granting them initial access without valid credentials.
The attack chain abuses the way SharePoint handles object deserialization. Once access is gained, attackers can steal machine-level cryptographic keys, such as ValidationKey and DecryptionKey, and use them to generate forged __VIEWSTATE payloads. This grants long-term persistence and the ability to run further malicious commands while blending into legitimate SharePoint traffic.
Real-world impact of the exploit
According to Eye Security and Palo Alto Networks Unit 42, this vulnerability has been used in a large-scale campaign dubbed “ToolShell.” So far, over 85 SharePoint servers belonging to 29 organizations, including government and multinational entities, have been compromised. Attackers use ASPX payloads delivered via PowerShell to extract machine keys and gain full control of the SharePoint instance.
What makes this exploit especially dangerous is the ability to maintain access even after patching, as patches do not rotate the stolen keys. This persistence mechanism complicates remediation significantly.
CISA and Microsoft’s response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of this vulnerability and issued an alert encouraging immediate mitigation actions. Microsoft acknowledged the issue and credited Viettel Cyber Security for discovering it via the Trend Micro Zero Day Initiative. A patch was released shortly after confirmation, addressing both CVE-2025-53770 and a related flaw, CVE-2025-53771.
Microsoft urges users to enable Antimalware Scan Interface (AMSI) integration and to deploy Microsoft Defender Antivirus and Defender for Endpoint to improve detection capabilities. Servers unable to use AMSI should be disconnected from the internet until patched.
Technical details and exploit chain
The vulnerability is closely tied to other known bugs:
-
CVE-2025-49704: Original RCE flaw used for arbitrary command execution.
-
CVE-2025-49706: A spoofing vulnerability involving the HTTP Referer header. When the referer includes
_layouts/SignOut.aspx, the exploit chain morphs into CVE-2025-53770. -
CVE-2025-53771: A new zero-day that adds further protections over CVE-2025-49706.
The attackers exploit SharePoint’s ToolPane endpoint to bypass authentication and deploy payloads before access controls are enforced.
Mitigation and recommendations
Microsoft has released a patch for the vulnerability. In the meantime, organizations should:
-
Ensure AMSI integration is enabled on all SharePoint servers.
-
Deploy Defender AV and Defender for Endpoint to enhance threat detection.
-
Revoke and regenerate compromised cryptographic keys if unauthorized access is suspected.
-
Monitor for suspicious
__VIEWSTATEpayloads or unusual PowerShell activity.
Organizations that rely on on-premises SharePoint must take immediate steps to secure their systems.
If your company needs help identifying or responding to such attacks, consider our cybersecurity services to assess risks and implement proper threat detection and response.
Conclusion
CVE-2025-53770 poses a severe threat to organizations using on-premise Microsoft SharePoint. With attackers able to bypass authentication, execute remote code, and maintain persistence using stolen cryptographic keys, traditional patching may not be sufficient. Organizations must act fast, apply Microsoft’s latest updates, and harden their SharePoint environments with advanced endpoint protections.
Read the full article of The Hacker News here.
