Microsoft SharePoint Zero-Day Exploited in Remote Code Execution Attacks with No Patch Available

A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.

In May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a 'ToolShell' attack demonstrated at Pwn2Own Berlin to achieve remote code execution.

While Microsoft patched both ToolShell flaws as part of the July Patch Tuesday, it is now warning that a variant of CVE-2025-49706, tracked as CVE-2025-53770, is being actively exploited in the wild.

'Microsoft is aware of active attacks targeting on-premises SharePoint Server customers,' warns Microsoft.

'The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.'

Microsoft states that the flaw does not impact Microsoft 365 and is working on a security update, which will be released as soon as possible.

To mitigate the flaw, Microsoft recommends that customers enable AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers.

Microsoft AMSI (Antimalware Scan Interface) is a security feature that allows applications and services to pass potentially malicious content to an installed antivirus solution for real-time scanning. It's commonly used to inspect scripts and code in memory, helping detect and block obfuscated or dynamic threats.

Microsoft says that enabling these mitigations will prevent unauthenticated attacks from exploiting the flaw.

The company notes that this feature is enabled by default since the September 2023 security updates for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

If you cannot enable AMSI, Microsoft says that SharePoint servers should be disconnected from the internet until a security update is released.

To detect if a SharePoint server has been compromised, admins can check if the C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx exists.

Microsoft also shared the following Microsoft 365 Defender query that can be used to check for this file:

eviceFileEvents | where FolderPath has 'MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS' | where FileName =~ 'spinstall0.aspx' or FileName has 'spinstall0' | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc

Further IOCs and technical information are shared below.

Exploited in RCE attacks

The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 29 organizations have already been compromised by the attacks.

Eye Security first observed attacks on July 18th after receiving an alert from one of their customers' EDR agents that a suspicious process tied to an uploaded malicious .aspx file was launched.

IIS logs showed that a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referer of /_layouts/SignOut.aspx.

Upon investigation, it was determined that threat actors have weaponized the Pwn2Own ToolShell vulnerability soon after CODE WHITE GmbH replicated the exploit and Soroush Dalili shared further technical details about the web referer last week.

As part of the exploitation, attackers upload a file named 'spinstall0.aspx,' which is used to steal the Microsoft SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey.

ViewState is used by ASP.NET, which powers SharePoint, to maintain the state of web controls between web requests. However, if it's not adequately protected or if the server's ValidationKey is exposed, the ViewState can be tampered with to inject malicious code that executes on the server when deserialized.

Eye Security CTO Piet​​​​ Kerkhofs told BleepingComputer that they have conducted scans of the internet for compromised servers and found 29 organizations impacted in the attacks.

Kerkhofs also told BleepingComputer that some firewall vendors are successfully blocking CVE-2025-49704 payloads attached to HTTP POST requests. However, Kerkhofs warned that if the attackers can bypass the signature, many more SharePoint servers will likely be hit.

The following IOCs were shared to help defenders determine if their SharePoint servers were compromised:

Exploitation from IP address 107.191.58.76 seen by Eye Security on July 18th

Exploitation from IP address 104.238.159.149 seen by Eye Security on July 19th.

Exploitation from IP address 96.9.125.147 seen by Palo Alto Networks.

Creation of C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx file.

IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx and a HTTP referer of _layouts/SignOut.aspx.

If the presence of any of these IOCs is detected in IIS logs or the file system, administrators should assume their server has been compromised and immediately take it offline.

Further investigations should be conducted to determine if the threat actors spread further to other devices.

This is a developing story and will be updated as new information becomes available.

According to the source: BleepingComputer.