Microsoft Sharepoint Vulnerability
Microsoft SharePoint is once again under active attack, with two new zero-day vulnerabilities being exploited in the wild. Tracked as CVE-2025-53770 and CVE-2025-53771, these flaws have been used to compromise at least 85 on-premise SharePoint servers worldwide since 18 July and there’s still no patch available for many affected versions.
The new flaws are particularly alarming because they bypass previous patches issued just weeks earlier. Back in May, cybersecurity researchers at Viettel demonstrated a successful remote code execution (RCE) attack at Pwn2Own Berlin using a chained exploit of CVE-2025-49704 and CVE-2025-49706. Microsoft patched those with its July Patch Tuesday update, but attackers have already developed new methods to sidestep those fixes.
According to a security blog posted by Microsoft, “these vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.” That’s cold comfort to enterprise IT teams still managing on-prem deployments.
The freshly identified CVE-2025-53770 and CVE-2025-53771 are, in essence, bypasses of the original ToolShell vulnerabilities patched earlier. While the flaws do not impact Microsoft 365 customers, the vast number of legacy deployments of SharePoint 2016 and 2019 leave many organisations exposed. Microsoft has so far released an update (KB5002768) for SharePoint Subscription Edition only. Security updates for the older editions are still in the works.
Microsoft acknowledged that these newer updates “include more robust protections” than the earlier patches, and is urging admins not to delay applying them once available. In the meantime, mitigations are available for organisations that can’t patch immediately.
For administrators unable to install a patch, Microsoft recommends enabling AMSI (Antimalware Scan Interface) integration within SharePoint, installing Microsoft Defender AV, and rotating ASP.NET machine keys. The AMSI feature allows scripts and in-memory code to be scanned in real-time by antivirus software and is enabled by default in SharePoint Server versions since September 2023.
Rotating machine keys can also help prevent attackers from using stolen credentials to exploit compromised servers. Admins can rotate these either via PowerShell using the Update-SPMachineKey cmdlet or through SharePoint’s Central Administration interface by running the “Machine Key Rotation” job and then restarting IIS across all servers.
Microsoft also strongly advises disconnecting unprotected servers from the internet until an official patch becomes available.
To help organisations identify whether their servers have already been compromised, Microsoft has provided guidance on what to look for. One clear sign of a breach is the presence of the file spinstall0.aspx in the SharePoint layouts directory.
Admins can also use Microsoft 365 Defender with a specific query shared by Microsoft on their blog post to check for evidence of the malicious file being created or accessed. This approach is essential for forensic investigation and ongoing monitoring until the threat is fully mitigated.
UPDATE: Microsoft has released security patches for two of the affected SharePoint releases. More details on the blog post.
