A essential safety vulnerability in Microsoft SharePoint Server has been weaponized as a part of an “lively, large-scale” exploitation marketing campaign.
The zero-day flaw, tracked as CVE-2025-53770 (CVSS rating: 9.8), has been described as a variant of CVE-2025-49706 (CVSS rating: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech large as a part of its July 2025 Patch Tuesday updates.
“Deserialization of untrusted information in on-premises Microsoft SharePoint Server permits an unauthorized attacker to execute code over a community,” Microsoft stated in an advisory launched on July 19, 2025.
The Home windows maker additional famous that it is making ready and absolutely testing a complete replace to resolve the difficulty. It credited Viettel Cyber Safety for locating and reporting the flaw by means of Development Micro’s Zero Day Initiative (ZDI).
In a separate alert issued Saturday, Redmond stated it is conscious of lively assaults focusing on on-premises SharePoint Server clients, however emphasised that SharePoint On-line in Microsoft 365 shouldn’t be impacted.
Within the absence of an official patch, Microsoft is urging clients to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.
It is price noting that AMSI integration is enabled by default within the September 2023 safety replace for SharePoint Server 2016/2019 and the Model 23H2 function replace for SharePoint Server Subscription Version.
For many who can’t allow AMSI, it is suggested that the SharePoint Server is disconnected from the web till a safety replace is accessible. For added safety, customers are beneficial to deploy Defender for Endpoint to detect and block post-exploit exercise.
The disclosure comes as Eye Safety and Palo Alto Networks Unit 42 warned of assaults chaining CVE-2025-49706 and CVE-2025-49704 (CVSS rating: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on prone situations. The exploit chain has been codenamed ToolShell.
However provided that CVE-2025-53770 is a “variant” of CVE-2025-49706, it is suspected that these assaults are associated.
Eye Safety stated the wide-scale assaults it recognized leverage CVE-2025-49706 to POST a distant code execution payload exploiting CVE-2025-49704. “We consider that the discovering that including “_layouts/SignOut.aspx” as HTTP referer, makes CVE-2025-49706 into CVE-2025-53770,” it stated.
It is price mentioning right here that the ZDI has characterised CVE-2025-49706 as an authentication bypass vulnerability that stems from how the appliance handles HTTP Referer header offered to the ToolPane endpoint (“/_layouts/15/ToolPane.aspx”).
The malicious exercise basically includes delivering ASPX payloads through PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, together with the ValidationKey and DecryptionKey, to take care of persistent entry.
The Dutch cybersecurity firm stated these keys are essential for producing legitimate __VIEWSTATE payloads, and that getting access to them successfully turns any authenticated SharePoint request right into a distant code execution alternative.
“We’re nonetheless figuring out mass exploit waves,” Eye Safety CTO Piet Kerkhofs instructed The Hacker Information in a press release. “This may have a huge effect as adversaries are laterally transferring utilizing this distant code execution with pace.”
Greater than 85 SharePoint servers globally have been recognized as compromised with the malicious internet shell as of writing. These hacked servers belong to 29 organizations, together with multinational companies and authorities entities.
It is price noting that Microsoft has but to replace its advisories for CVE-2025-49706 and CVE-2025-49704 to mirror lively exploitation. Now we have additionally reached out to the corporate for additional clarification, and we’ll replace the story if we hear again.
(The story is creating. Please examine again for extra particulars.)
