A critical SharePoint RCE zero-day vulnerability (CVE-2025-53770/53771) is being actively exploited on on-premises servers.
Microsoft’s on-premises SharePoint servers came under a critical zero-day attack in July 2025, when security researchers uncovered new flaws that were being actively exploited with no patch available. The two zero-day bugs (CVE-2025-53770 and CVE-2025-53771) allow unauthenticated attackers to achieve remote code execution (RCE) on vulnerable servers. By the time the threat was made public, analysts had already identified at least 85 compromised SharePoint servers across 54 organizations worldwide. In response, Microsoft rushed out emergency security updates for on-prem SharePoint. This post explains the SharePoint RCE vulnerability and the “ToolShell” exploit chain, reviews the real-world impact so far, and outlines steps that organizations should take to defend themselves.
The SharePoint Zero-Day Vulnerabilities Explained
The newly discovered flaws are tied to a multi-bug exploit chain nicknamed “ToolShell.” In May 2025, researchers at Viettel Cyber Security demonstrated how two older SharePoint bugs (CVE-2025-49706 and CVE-2025-49704) could be chained to gain unauthenticated RCE via a single web request. Microsoft patched those issues in its July Patch Tuesday release, but attackers quickly developed bypasses. The new zero-days – CVE-2025-53770 (bypassing CVE-2025-49704) and CVE-2025-53771 (bypassing CVE-2025-49706) – effectively nullify the previous fixes. These vulnerabilities affect on-premises SharePoint Server (2016/2019 and Subscription Edition) – SharePoint Online (Microsoft 365) is not impacted.
Microsoft explicitly warned customers that “active attacks” were targeting on-prem SharePoint by exploiting gaps not covered by the July update. Because these are zero-day bugs (no patch existed at the time of discovery), attackers had a window of opportunity to run malicious code on vulnerable servers, steal data, install web shells, or move laterally within networks. Security teams immediately classified the situation as urgent.
How Attackers Exploit the SharePoint RCE Flaw
Attackers are using the ToolShell exploit chain to infiltrate SharePoint servers. In practice, the exploit works in one unauthenticated web request that abuses the bug chain. Researchers observed that hackers upload a malicious ASPX webshell (typically named spinstall0.aspx) to the SharePoint server’s file system. When executed, this webshell harvests the server’s ASP.NET machine keys (the ValidationKey and DecryptionKey) from memory or configuration.
Once the attackers have these cryptographic keys, they can forge valid ViewState payloads to execute arbitrary code. SharePoint (like all ASP.NET apps) uses ViewState to maintain page and control state between requests. If an attacker knows the server’s ValidationKey, they can sign malicious ViewState data so that SharePoint will deserialize and execute it as if it were legitimate content. In short, the exploit allows complete remote takeover: the malicious ViewState payload runs on the server with system privileges, enabling full file and configuration access.
Dutch security firm Eye Security was the first to observe the live attacks on July 18, 2025. An alert from a customer’s EDR led them to discover a suspicious POST to /_layouts/15/ToolPane.aspx with a referer from /_layouts/SignOut.aspx. This pattern is consistent with the ToolShell exploit chain. Once they investigated, Eye Security confirmed the attackers had weaponized the previously demonstrated vulnerability. In one report, a researcher noted that the entire chain is “really just one request” once the exploit is known.
Organizations Affected and Real-World Impact
By mid-July, hundreds of organizations were scrambling. Eye Security’s scans of the internet revealed 85+ compromised SharePoint servers in about 54 organizations. These victims span multiple sectors and include major institutions. Reported examples include a private university in California, a California energy operator, a U.S. federal health agency, an AI technology firm, a fintech company in New York, and a state government office in Florida. In other words, the breach affected universities, critical infrastructure, finance, healthcare, and government bodies.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately took notice. On July 20, CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, forcing federal agencies to patch within one day of Microsoft’s fixes. CISA’s advisory warned that the ToolShell-based exploit gives attackers “unauthenticated access” to SharePoint content and allows code execution on the network. The urgency reflects how dangerous zero-day RCE attacks can be: once in, bad actors can deploy ransomware, steal sensitive files, or pivot deeper into enterprise networks. So far, there have been no major public reports of follow-on ransomware or espionage, but organizations hit by the exploit are assumed to be at high risk.
Mitigation and Protection Measures
Microsoft and security agencies have outlined several steps to mitigate the threat. Key recommendations include:
- Apply Emergency Patches: Install the latest SharePoint security updates immediately. Microsoft released emergency patches (KB5002754/KB5002753 for SharePoint 2019, KB5002760/KB5002759 for SharePoint 2016, and KB5002768 for SharePoint Subscription Edition) that fix both zero-day flaws. Even if systems appear unaffected, updating is critical because the vulnerabilities are weaponized in the wild.
- Enable AMSI and Defender Antivirus: Turn on the Antimalware Scan Interface (AMSI) for SharePoint and ensure Microsoft Defender Antivirus is running on every SharePoint server. AMSI helps inspect scripts and code in memory in real-time, blocking obfuscated payloads. Microsoft notes that with these defenses enabled (they are default in recent updates), the unauthenticated exploit attempts will be prevented.
- Rotate SharePoint Machine Keys: After applying updates or enabling AMSI, rotate the server’s ASP.NET machine keys. This invalidates any keys that attackers may have stolen during a breach, ensuring they can no longer forge valid ViewState. (Microsoft provides PowerShell and Central Admin methods to trigger key rotation.)
- Isolate Unpatched Servers: If for some reason you cannot immediately apply patches or enable AMSI, disconnect vulnerable SharePoint servers from public networks. CISA advises that any unprotected server facing the Internet should be taken offline until mitigations are in place.
- Monitor for Indicators of Compromise: Check your IIS logs and file system for signs of the exploit. Look for POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit...with a referer of/_layouts/SignOut.aspx, or the presence of a file namedspinstall0.aspxunderCOMMON\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS. These are telltale signs of the ToolShell attack. Any such findings should be treated as an immediate compromise and the server taken offline for forensic analysis.
By following these steps, administrators can neutralize the ongoing SharePoint RCE threat. As CISA and Microsoft emphasize, prompt patching and layered defenses are the best response to zero-day attacks.
