A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.
The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.
“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory released on July 19, 2025.
The Windows maker further noted that it’s preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).
In a separate alert issued Saturday, Redmond said it’s aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 is not impacted.
In the absence of an official patch, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.
It’s worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
For those who cannot enable AMSI, it’s advised that the SharePoint Server is disconnected from the internet until a security update is available. For added protection, users are recommended to deploy Defender for Endpoint to detect and block post-exploit activity.
The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.
But given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it’s suspected that these attacks are related.
Eye Security said the wide-scale attacks it identified leverage CVE-2025-49706 to POST a remote code execution payload exploiting CVE-2025-49704. “We believe that the finding that adding “_layouts/SignOut.aspx” as HTTP referer, makes CVE-2025-49706 into CVE-2025-53770,” it said.
It’s worth mentioning here that the ZDI has characterized CVE-2025-49706 as an authentication bypass vulnerability that stems from how the application handles HTTP Referer header provided to the ToolPane endpoint (“/_layouts/15/ToolPane.aspx”).
The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.
The Dutch cybersecurity company said these keys are crucial for generating valid __VIEWSTATE payloads, and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.
“We are still identifying mass exploit waves,” Eye Security CTO Piet Kerkhofs told The Hacker News in a statement. “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”
More than 85 SharePoint servers globally have been identified as compromised with the malicious web shell as of writing. These hacked servers belong to 29 organizations, including multinational firms and government entities.
It’s worth noting that Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We have also reached out to the company for further clarification, and we will update the story if we hear back.
(The story is developing. Please check back for more details.)
