CVE-2025-53770 Zero-Day Vulnerability
A severe security flaw in Microsoft SharePoint Server has become the focus of an ongoing, large-scale cyberattack campaign. Tracked as CVE-2025-53770 with a CVSS score of 9.8, this vulnerability is classified as a zero-day and is closely related to CVE-2025-49704 (CVSS 8.8), a code injection and remote code execution bug addressed during Microsoft's July 2025 Patch Tuesday updates. The flaw stems from the deserialization of untrusted data, which allows attackers to execute malicious code remotely and without proper authorization.
Table of Contents
Active Attacks and Impacted Systems
Researchers have confirmed that cybercriminals are actively exploiting this vulnerability against on-premises SharePoint Server instances. Importantly, SharePoint Online in Microsoft 365 remains unaffected. The attackers are exploiting how SharePoint handles untrusted objects during deserialization, granting them the ability to execute commands before user authentication. Once inside the system, attackers can generate forged payloads using stolen machine keys, enabling lateral movement and persistent access. This makes detection and mitigation challenging, as their activity can mimic legitimate SharePoint traffic.
Complex Exploit Chains
Evidence suggests that CVE-2025-53770 is being used alongside other flaws, including CVE-2025-49706 (a spoofing bug with a CVSS score of 6.3) and CVE-2025-49704, to form an advanced exploit chain known as ToolShell. Attackers leverage CVE-2025-49706 to deliver remote code execution payloads that exploit CVE-2025-49704. Adding '_layouts/SignOut.aspx' as the HTTP referer reportedly transforms CVE-2025-49706 into CVE-2025-53770, enabling a more streamlined exploitation process.
The attacks typically involve ASPX payloads delivered via PowerShell, with the goal of stealing the server's MachineKey configuration (ValidationKey and DecryptionKey). These keys are critical because they allow attackers to craft malicious __VIEWSTATE payloads that SharePoint will accept as valid, effectively turning any authenticated request into a remote code execution opportunity.
Scale of Compromise
So far, more than 85 SharePoint servers worldwide have been compromised, impacting at least 29 organizations, including multinational corporations and government agencies. Once attackers have the cryptographic keys, remediation becomes far more complicated. Even after applying a security patch, stolen keys may still allow attackers to maintain access unless those keys are manually rotated or reconfigured.
Mitigation Measures
Until an official patch became available, Microsoft advised organizations to enable Antimalware Scan Interface (AMSI) integration in SharePoint. For customers unable to activate AMSI, disconnecting vulnerable SharePoint Servers from the internet was strongly recommended.
Following ongoing exploitation reports, Microsoft has released patches for both CVE-2025-53770 and a newly discovered flaw, CVE-2025-53771, to protect vulnerable systems.
CISA’s Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert confirming active exploitation of CVE-2025-53770. This vulnerability allows attackers to achieve unauthenticated, remote code execution over the network, posing a severe threat to any unpatched SharePoint environment.
