If your organization uses on-premises Microsoft SharePoint Servers, drop everything and read this! Cybersecurity researchers, including Eye Security and Trend Micro, are issuing an urgent warning: two new critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are being actively exploited in the wild. These aren’t just new flaws; they’re evolved forms of previously patched vulnerabilities, allowing attackers to achieve unauthenticated remote code execution (RCE).
In simpler terms: hackers are finding ways to sneak into your SharePoint servers without needing a password, and once inside, they can run their own malicious code. This is a severe threat that could lead to data theft, system compromise, and significant disruption. Understanding this evolving threat and taking immediate, proactive steps is vital for every organization.
The Evolution of a Threat: More Than Just a Simple Patch
These newly exploited vulnerabilities (CVE-2025-53770 and CVE-2025-53771) are particularly insidious because they build upon earlier SharePoint flaws (CVE-2025-49706 and CVE-2025-49704). These initial vulnerabilities were publicly disclosed at Pwn2Own Berlin 2025 by Viettel Cyber Security as part of a chained attack and were patched by Microsoft during the July 2025 Patch Tuesday cycle.
However, cybersecurity experts discovered that those initial patches weren’t a complete fix. Attackers found new ways to exploit the underlying issues through advanced deserialization and ViewState abuse. This means the fixes for the initial problems weren’t comprehensive enough, necessitating the release of these two new CVEs. Microsoft acknowledged these issues and provided patches for SharePoint Subscription Edition and 2019 on July 19, with a patch for SharePoint 2016 still forthcoming.
This “patch incomplete” scenario isn’t new in cybersecurity and highlights why layered security and continuous monitoring are so crucial. Attackers relentlessly probe for weaknesses, even in supposedly “fixed” systems.
How The Attack Unfolds: A Sneak Peek Behind the Scenes
The attacks leveraging CVE-2025-53770 target a specific endpoint on SharePoint servers: /layouts/15/ToolPane.aspx. Here’s a simplified breakdown of the attack chain:
- Initial Access Bypass: Attackers send a specially crafted HTTP request to the
ToolPane.aspx endpoint, using a unique Referer header (/_layouts/SignOut.aspx). This trick allows them to bypass SharePoint’s authentication mechanisms.
- Malicious File Upload: Once they bypass authentication, they upload a hidden, malicious ASPX file (often named
spinstall0.aspx) to the server. This file’s purpose is to extract sensitive cryptographic secrets.
- Credential Theft: The uploaded file grabs the server’s
MachineKey configuration, specifically the ValidationKey. This key is like a master password, crucial for generating valid __VIEWSTATE payloads.
- Remote Code Execution (RCE): With the stolen
ValidationKey, attackers use tools (like ysoserial) to create valid, signed __VIEWSTATE objects. When SharePoint tries to process (deserialize) these objects, it unknowingly executes the attacker’s commands, granting them unauthenticated remote code execution (RCE). This allows them to take full control of the compromised server.
These attacks have been observed across multiple regions, including Asia, Europe, and the United States, targeting a wide range of industries such as finance, education, energy, and healthcare. This clearly shows a broad and indiscriminate targeting approach by the attackers.
Your Proactive Security Playbook: Don’t Wait, Act Now!
The active exploitation of these vulnerabilities means time is of the essence for organizations using on-premises SharePoint.
Critical Recommendations:
- APPLY PATCHES IMMEDIATELY: Ensure all your on-premises SharePoint Servers (Subscription Edition and 2019) have the latest security updates from Microsoft. If you’re on SharePoint 2016, keep a very close eye out for the forthcoming patch and apply it the moment it’s available. Remember: Office 365 and SharePoint Online users are NOT affected, as Microsoft handles those updates.
- Monitor for Malicious Files: Regularly check your SharePoint
LAYOUTS directory (specifically at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\) for any unauthorized ASPX files, especially spinstall0.aspx.
- Audit Configuration Changes: Inspect your SharePoint configuration files for any suspicious or unauthorized modifications.
- Review Server Logs: Scrutinize your server logs for anomalous access patterns, particularly those involving the
ToolPane.aspx endpoint and ViewState activity. Unusual traffic or requests could indicate an attempted or successful compromise.
- Strengthen Your Defenses:
- Implement strong endpoint detection and response (EDR) solutions to identify and block malicious activity.
- Utilize network segmentation to limit the impact of a potential breach.
- Ensure multi-factor authentication (MFA) is enabled for all administrative and user accounts.
- Educate your team about phishing and social engineering tactics, as these are often used in the initial stages of sophisticated attacks.
The constant cat-and-mouse game between attackers and defenders means proactive security is no longer optional—it’s essential. Stay vigilant, stay patched, and empower your security teams with the tools and intelligence they need to protect your digital assets.
Does your organization have a robust plan for responding to actively exploited vulnerabilities? How quickly can you deploy critical patches? Share your strategies in the comments below!
