A zero-day vulnerability in Microsoft Corp.’s SharePoint with no known patch is being exploited in the wild as security researchers warn that attackers are actively compromising servers across multiple sectors.
The vulnerability, tracked as CVE-2025-53770 and dubbed “ToolShell,” affects on-premises versions of SharePoint Server 2016, 2019 and the Subscription Edition. The vulnerability stems from insecure deserialization that allows unauthenticated remote code execution, giving attackers the ability to to take control of servers without any credentials.
Microsoft confirmed active exploitation of the vulnerability on July 19 and has issued interim guidance as it works on a permanent fix.
The vulnerability is being leveraged in a coordinated campaign that was first observed by researchers at Eye Security B.V. on July 18. According to the researchers, attackers are using the flaw to deploy a malicious ASPX payload known as “spinstall0.aspx,” which extracts cryptographic machine keys used by SharePoint. Upon obtaining the keys, attackers can forge valid ViewState tokens and maintain persistent access, even after the servers are patched.
Eye Security estimates that at least 75 to 85 servers have already been compromised, with victims spanning government agencies, telecom firms, financial institutions, universities and energy providers.
An attack that seeks to exploit the vulnerability starts with a specially crafted POST request to SharePoint’s ToolPane.aspx endpoint that is also combined with a spoofed Referer header pointing to the SignOut.aspx page. The request then triggers the upload and execution of the spinstall0.aspx payload, which then provides access to the server’s ValidationKey and DecryptionKey.
Once an attacker has their hands on keys to server, they can bypass standard security measures and remotely execute commands as a trusted user.
With no patch available, Microsoft is urging administrators to enable AMSI integration and deploy Microsoft Defender Antivirus and Defender for Endpoint to detect and block known indicators of compromise. AMSI integration, or Antimalware Scan Interface integration, allows SharePoint to work with antivirus solutions like Microsoft Defender to scan and block malicious scripts and payloads in real time before they’re executed.
The U.S. Cybersecurity and Infrastructure Agency has also issued guidance on the vulnerability, noting that if AMSI cannot be enabled, SharePoint server users should disconnect affected products that are public-facing on the internet until official mitigations are available.
Analysts are also warning that mitigation alone is insufficient if compromise has already occurred, as attackers with access to machine keys can retain control. Full remediation requires key rotation, threat hunting and removal of any deployed web shells.
Image: News/Reve
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
News Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of News, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — News Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
