Microsoft has confirmed active exploitation of a critical zero-day vulnerability in SharePoint Server, tracked as CVE-2025-53770 (CVSS 9.8), serving as a sobering reminder of the threats aimed at enterprise collaboration systems. In what is being called a massive exploitation campaign, at least 85 servers from 29 international organizations—including government agencies—have already been compromised.
This vulnerability, which is a variation of the previously fixed CVE-2025-49704, takes advantage of the way SharePoint deserialises untrusted objects to enable unauthenticated remote code execution. Attackers have swiftly adjusted to a partial patch that was released earlier in July, demonstrating how patch bypasses and post-exploit persistence are still essential components of contemporary threat actor strategies.
Bluefire Redteam Expert Insight
“We’re actively helping clients in finance and government sectors respond to this,”
says Ashish Jha, Head of Cybersecurity Services at Bluefire Redteam.
“What’s alarming is not just the RCE, but the attackers’ ability to persist by stealing and reusing ASP.NET machine keys. This means that even after patching, many environments remain vulnerable unless secrets are rotated.”This vulnerability is a classic example of patch bypass evolution, according to the Bluefire Redteam offensive security team. Attackers modified their payloads to get around earlier defences, creating CVE-2025-53770 after the vulnerability was first mitigated with CVE-2025-49704 and CVE-2025-49706.
“We replicated the attack in a secure lab,” adds Red Team Lead at Bluefire,
“and confirmed that attackers can dropspinstall0.aspxusing PowerShell via forged VIEWSTATE payloads. If endpoint visibility is missing, these actions look like legitimate admin behavior.”
How CVE-2025-53770 Works
- Unauthenticated RCE: Attackers can remotely execute arbitrary code without logging in.
What is Unauthenticated RCE?
Unauthenticated Remote Code Execution (RCE) is one of the most dangerous types of vulnerabilities in cybersecurity. It allows an attacker to run malicious code on a server or system from anywhere on the internet — and critically, without having to log in or authenticate. This means the attacker doesn’t need a username, password, or even privileged access. If a system is exposed, it’s open to takeover.
- Key Theft: Exploits allow access to the
ValidationKeyandDecryptionKeyfrom machine.config. - Persistence via __VIEWSTATE: Using stolen keys, attackers craft malicious
__VIEWSTATEpayloads that SharePoint accepts as valid. - Lateral Movement: Once inside, adversaries spread across internal systems by abusing trusted communications.
This activity has been seen chained with CVE-2025-49706, a spoofing flaw in how the HTTP referer is handled, forming a full exploit chain dubbed ToolShell.
Bluefire’s Immediate Recommendations
If you’re running on-prem SharePoint (2016/2019/SE):
| Action | Description |
|---|---|
| 1. Patch Immediately | Apply KB5002768 (SE) or KB5002754 (2019) |
| 2. Rotate Machine Keys | Use Update-SPMachineKey PowerShell cmdlet + IIS restart |
| 3. Enable AMSI | Antimalware Scan Interface blocks unauthenticated exploit attempts |
| 4. Deploy Defender for Endpoint | Detects post-exploit activity and IIS web shell behavior |
| 5. Hunt for Indicators of Compromise | Look for spinstall0.aspx, PowerShell activity from w3wp.exe, or rogue ASP.NET payloads |
Bluefire Redteam has released a free, open-source detection and remediation toolkit for CVE-2025-53770.
Download the Toolkit on GitHub
This includes:
- Optional Linux hybrid scanner for reverse proxies
- A script to detect vulnerable SharePoint builds and IoCs
- An automated remediation script to enable AMSI and rotate MachineKeys
Detection Queries: Hunt for Indicators of Exploitation
Run the following sample queries in Microsoft 365 Defender to detect possible compromise:
DeviceFileEvents
| where FileName has "spinstall0"
DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")Key Takeaways
- This is not just another patch cycle—it’s a case study in exploit evolution, where old patches are bypassed and cryptographic secrets are abused long after initial entry.
- Businesses that use on-premises SharePoint need to move quickly. The fact that cloud-based SharePoint (M365) is unaffected confirms the benefit of SaaS infrastructure in high-risk settings.
Real-World Warning from the Front Lines:
“Some compromised SharePoint servers were still using default machine key configurations from 2019,” said a senior IR analyst (who requested anonymity). “That’s like locking your door but leaving the keys under the mat. Attackers aren’t guessing anymore—they’re replaying old keys.
Final Thoughts from Bluefire Redteam
This incident highlights the significance of defense-in-depth. Patching is insufficient. You have to switch up the secrets. There must be endpoint visibility. Given how deeply ingrained SharePoint is in business ecosystems, gaining a foothold here could result in disastrous lateral attacks.
If you suspect compromise or want proactive defense:
👉 Contact Bluefire Redteam for a SharePoint Zero-Day Assessment or Incident Response Advisory.
Bluefire Redteam is a global offensive security firm trusted by high-growth companies and government agencies. Our team specializes in red teaming, threat simulation, and real-world exploit testing—ensuring our clients stay one step ahead of adversaries.
