The flaw allows remote code execution through the deserialization of untrusted data.
A critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is being actively exploited in a widespread campaign.
According to The Hacker News, the flaw, rated 9.8 on the CVSS scale, is a variant of a previously disclosed bug, CVE-2025-49704, that allows remote code execution through the deserialization of untrusted data.
Microsoft has acknowledged the issue and credited Viettel Cyber Security for its discovery via Trend Micro’s Zero Day Initiative. While SharePoint Online is unaffected, on-premise servers are at risk, and attackers are leveraging the bug to bypass authentication and execute arbitrary commands, making detection particularly challenging.
ToolShell
Security experts warn that the attack chain—dubbed “ToolShell”—also involves chaining CVE-2025-49706, a spoofing flaw, to elevate attacks. By exploiting this combination, attackers can plant malicious ASPX payloads via PowerShell and steal cryptographic keys (MachineKey, ValidationKey, and DecryptionKey) from the server. These keys allow them to forge __VIEWSTATE payloads, effectively enabling persistent remote code execution even after the server is patched.
Michael Sikorski, CTO and head of threat intelligence for Unit 42 at Palo Alto Networks, said what makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker.
“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” he said. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert confirming active exploitation of CVE-2025-53770 and urging immediate defensive action. Microsoft recommends enabling AMSI integration and Defender AV on SharePoint servers, and disconnecting from the internet if mitigation isn't possible.
Eye Security has detected more than 85 compromised SharePoint servers across 29 organisations, including governments and multinational corporations.
A security update has now been released for CVE-2025-53770 and a related flaw, CVE-2025-53771, though concerns remain that stolen cryptographic secrets may leave systems vulnerable even post-patch unless additional remediation steps are taken.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
