Microsoft security alert issued in the wake of a large scale of cyber attacks which have been reported to be targeting SharePoint servers that government agencies and business all over the world are using. We are seeing a zero day vulnerability which we have identified as CVE-2025-53770 with a CVSS score of 9.8 and which has already had success in compromising over 85 servers across 54 different organizations which makes this by far the most serious security issue of 2025.
Critical Zero-Day Vulnerability Under Active Exploitation
Microsoft has issued a Security Alert for CVE-2025-53770 also known as “ToolShell” which impacts on-premises SharePoint Server 2016, 2019 and Subscription Edition. This vulnerability which is remote in nature and does not require authentication for a code execution which in turn overcomes what would be otherwise put in place security features like Multi-Factor Authentication (MFA) and Single Sign On (SSO) systems.
Microsoft reported the active exploitation on July 19, 2025 that we are aware of which see that Microsoft has identified attacks which are active against on-premises SharePoint Server customers that are which are using vulnerable systems which in part we have patched with the July Security Update. Also reported that SharePoint Online in Microsoft 365 is not affected by these issues.
The issue is with the deserialization of untrusted data in on premise SharePoint servers which in turn allows attackers to run any code over the network. In July 18, 2025 security researchers at Eye Security reported the attack which they had identified via customer EDR reports.
Scope and Reach of the Security Breach
Microsoft has reported on the large scale of this cyber attack which we see from Eye Security’s report that attackers did in fact get into systems of various organizations in many sectors and regions. Also reported are:
Government and Public Sector:
- At some time by two unknown U.S. federal agencies
- State government agencies that have had security breaches of public records
- Florida State Agency systems
- In Europe and in Spain which
- Arizona State and Tribal Government systems
Education and Private Industries:
- Universities in California and Brazil
- In many U.S. schools and educational institutions
- Financial technology companies in New York
- Energy firms and private operators in California
- Asian telecommunications companies
- Large multinational corporations
The global reach of this issue includes the U.S., Germany, France, Australia, the Netherlands, Switzerland, Sweden, Canada and also many in Asia and the Middle East.
Technical Analysis of the Attack Vector
Microsoft’s Security Alert reports on the complex structure of the ToolShell attack chain. We see that they have put out that CVE-2025-53770 is a variant of CVE-2025-49706 which Microsoft had tried to fix in the July 2025 security updates. But what we find is that the threat actors got past those first patches which they put in place which is why we have new CVE identifiers.
The attack process includes a series of key stages:
Initial Exploitation: Attackers go after internet exposed SharePoint servers which they send to the layouts/15/ToolPane.aspx endpoint via crafted POST requests that include malicious payloads. They use the deserialization vulnerability which in turn gives them initial code execution.
Payload Deployment: Once within the system attackers will drop a bad ASPX file called “spinstall0.aspx” into the SharePoint layouts directory. This web shell is a persistent back door which gives the attackers continuous access to the compromised server.
Cryptographic Key Theft: In this attack what we see is the stealing of SharePoint’s MachineKey config which includes ValidationKey and DecryptionKey. With these cryptographic keys in hand the attackers are able to create fake ViewSate tokens which in turn gives them persistent remote code execution.
Persistent Access: Using out of band tools like ysoserial attackers are able to put forth what appears to be legitimate SharePoint tokens which the server in turn accepts as valid input. This in turn enables full command execution which is auth free.
Industry Response and Detection Efforts
Microsoft Security Alert has brought out fast reactions from the global cybersecurity community. In July 20, 2025 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-53770 in its Known Exploited Vulnerabilities catalog which in turn gave federal agencies’ an urgent call to action to put in place protective measures.
CISA became aware of the issue through a trusted partner which we reported to Microsoft right away. Microsoft is responding very quickly and we are working with them to get out information to affected parties which includes recommended mitigations.
The FBI reports that they were made aware of the attacks and also that they are working with federal and private sector partners to address the issue. Also international cyber security agencies from Canada and Australia put out their own warnings to organizations regarding the vulnerability.
Major reports of active cyber threat action. Palo Alto Networks Unit 42 team confirmed report of the vulnerability chain exploit, at the same time Google Threat Intelligence Group saw threat actors which were putting in webshells and taking out crypto secrets from victim servers. This collaboration in intelligence share has been key in determining the attack range and in the development of countermeasures.
Indicators of Compromise and Detection Methods
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.asmx
Network-based indicators include:
- Exploitation by IP addresses 107.191.58.76, 104.238.159.149, and 96.9.125.147
- POST requests to
layouts/15/ToolPane.aspx?DisplayMode=Editwhich have suspicious referrers - Strange PowerShell activity from SharePoint worker processes
Microsoft has put forward hunting queries for Microsoft 365 Defender which we have seen to be very useful in the identification of possible security breaches. We are to run an immediate investigation if any of these play out as they are a sure sign of a successful attack.
Mitigation Strategies and Protective Measures
Microsoft has reported on this Security Alert which they have also put forth in to action a series of very important mitigation steps while at the same time they are working on a full scale security update.
As for the main protection we see that they have turned on the Antimalware Scan Interface (AMSI) in SharePoint Server which was made a default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
Organizations should immediately:
- Deploy Microsoft Defender Antivirus into all SharePoint servers which in turn will provide real time protection against malicious payloads. Also we see that AMSI integration which enables SharePoint to look at what may be that which is malicious before it is run, in that way serving as a very important defense layer.
- Apply Available Security Updates: Microsoft has put out a security update (KB5002768) for SharePoint Subscription Edition also we see that they are working on patches for 2019 and 2016 versions of SharePoint. It is advised that organizations which are affected should at once apply these updates as they become available.
- Network Isolation: For organizations that are not able to turn on AMSI protection we recommend that they disconnect their SharePoint servers from the Internet until security updates are released. This will prevent external attackers from the exploitation of the vulnerability which at the same time will keep internal functions running.
Microsoft has rolled out Microsoft Defender for Endpoint which we put in place for the purpose of detection and response to post exploitation actions. Also we have at our disposal advanced threat hunting features which in turn report on tell tale signs of the ToolShell attack chain.
Long-Term Security Implications
This report of a Microsoft Security Alert brings to light wider issues in the field of enterprise collaboration security. The ToolShell attack which is able to steal crypto keys means that what we do see in terms of patches may not be enough for full remediation of affected systems. It is to that end that organizations are advised to rotate SharePoint Server ASP.NET machine keys in order to break attacker’s persistent access via the stolen crypto material.
The issue brings to light the growth in complexity of supply chain attacks which now target large scale enterprise software. Share Point’s role in Microsoft’s wider ecosystem which includes Office, Teams, OneDrive, and Outlook means that a successful breach may affect many of an organization’s systems.
Security experts report that which is a large step up in terms of what we see from threat actors. In Berlin Pwn2Own we see the speed at which proof of concept exploits are turned into wide scale attack campaigns.
Conclusion and Future Outlook
Microsoft has reported on the issue of CVE-2025-53770 which is a turning point in the world of enterprise security. We have seen over 85 servers fall to this attack which in turn affected 54 different organizations around the world. This is a call to action for better proactiveness in security measures and faster patch deployment.
Organizations should note that modern zero day attacks may achieve large scale within hours of initial exploitation. The ToolShell campaign’s success in penetrating government agencies, universities, and private corporations across multiple continents reports the world stage impact that advanced threat actors may achieve.
As Microsoft reports to be in the midst of a wide scale security update push organizations at the same time are to balance between operational requirements and security issues. We see the recommendation of turning off Internet facing SharePoint servers which is a large ask but may be required to prevent further breaches until more permanent solutions are put in place.
This Microsoft Security Alert is a note that cyber security is a continuous process which requires constant vigilance, quick response, and we at it with full scale defense strategies which go beyond traditional patching to include threat hunting, incident response and cryptographic key management.
Source: Reuters and other web articles
