Critical security vulnerabilities in Microsoft SharePoint servers have been weaponized as part of an “active and massive” exploitation campaign.
Tracked Zero Day Flaws CVE-2025-53770 (CVSS score: 9.8) is described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that Tech Giant addressed as part of the patch Tuesday update in July 2025.
“The untrusted data descent on on-premises Microsoft SharePoint Server allows unauthorized attackers to execute code over the network,” Microsoft said in an advisory released on July 19, 2025.
The Windows manufacturer also noted that they have prepared and fully tested a comprehensive update to resolve the issue. He praised Viettel Cyber Security for discovering and reporting defects through Trend Micro’s Zero Day Initiative (ZDI).
In another alert issued Saturday, Redmond said he was aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 will not be affected.
Attackers who take advantage of this bug don’t just inject arbitrary code. They abuse how SharePoint dislocates untrusted objects, allowing them to run commands even before authentication occurs. Once inside, it uses the stolen machine key to forge a trusted payload to last or move laterally. It often mixes with legitimate sharepoint activities.
If there is no official patch, Microsoft has configured Antimalware Scan Interface (AMSI) integration in SharePoint, urging customers to deploy Defender AV on all SharePoint servers.
Please note that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
For those who cannot enable AMSI, we recommend that your SharePoint server be disconnected from the Internet until security updates are available. For additional protection, users are encouraged to deploy the endpoint’s defender to detect and block post-exposure activity.
This disclosure warned of attacks that Eye Security and Palo Alto Networks Unit 42 check CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8) and warned that it was a flaw in code injection in SharePoint. The exploit chain is called the toolshell.
However, given that CVE-2025-53770 is a “variant” of CVE-2025-49706, these attacks are suspected to be related.
Eye Security said the wide range of attacks identified leverage for CVE-2025-49706 to post a remote code execution payload that exploits CVE-2025-49704. “The discovery of adding ‘_layouts/signout.aspx’ as an http referrer will make CVE-2025-49706 CVE-2025-53770,” he said.
It is worth mentioning here that ZDI characterizes CVE-2025-49706 as an authentication bypass vulnerability resulting from the way applications handle HTTP reference headers provided to Toolpane Endpoint (“/_layouts/15/toolpane.aspx”).
Malicious activity essentially involves delivering ASPX payloads via PowerShell. Use PowerShell to steal MachineKey configurations for SharePoint Server, including VeridationKey and DecryptionKey, and maintain persistent access.
The Dutch cybersecurity company said these keys are important to generate valid __ViewState payloads and effectively convert authenticated SharePoint requests to remote code execution opportunities to gain access to them.
“We are still identifying a large amount of exploit waves,” Eye Security CTO Piet Kerkhofs told Hacker News in a statement. “This has a huge impact as it uses this remote code execution at speed and moves horizontally.”
Over 85 SharePoint servers have been identified worldwide as being compromised by malicious web shells at the time of writing. These hacked servers belong to 29 organizations, including multinational corporations and government agencies.
It is worth noting that Microsoft has not yet updated its recommendations for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We also contacted the company for further clarification. If you’ve heard of it, update the story.
(The story is developing. Please check again for more details.)
