Critical SharePoint Zero‑Day Exploit: CVE‑2025‑53770 Under Active Attack

On July 19, 2025, Microsoft disclosed a critical remote code execution vulnerability in SharePoint Server, tracked as CVE-2025-53770. This vulnerability allows unauthenticated attackers to execute code remotely by exploiting a flaw in how SharePoint deserializes untrusted data. It has received a CVSS score of 9.8, underscoring the severity of the threat.

This zero-day is already being actively exploited in the wild. Microsoft warns that attackers are targeting unpatched SharePoint servers to gain footholds in enterprise networks. It is crucial to note that SharePoint Online (Microsoft 365) is not affected by this vulnerability.

Microsoft’s detailed guidance and mitigation advice can be found in their official blog post: Customer Guidance for SharePoint Vulnerability CVE-2025-53770.

What’s at Risk

The vulnerability enables attackers to send a specially crafted web request to vulnerable SharePoint servers, triggering the deserialization of malicious objects. Once exploited, attackers can achieve:

Full remote code execution (RCE)
Deployment of web shells for persistent access
Theft of machine keys
Lateral movement within the target network

Microsoft, along with security firms like Eye Security, have confirmed that the vulnerability is being used in the wild. An attacker group identified as using a toolchain called “ToolShell” has already compromised over 75 servers in 29 organizations, including government and enterprise networks.

This attack chain often combines multiple vulnerabilities (CVE-2025-49706 and CVE-2025-49704) with CVE-2025-53770 to bypass defenses and maintain access.

Mitigation Guidance

As of now, there is no official patch. Microsoft has offered the following interim mitigations:

Enable AMSI Integration: SharePoint servers (2016/2019 and SharePoint Subscription Edition 23H2+) should have AMSI integration enabled. This allows the built-in antivirus engine to scan and block malicious scripts during runtime.
Install Microsoft Defender Antivirus: Make sure that Defender AV is installed and running on all SharePoint servers. Microsoft has released signatures under:
- Exploit:Script/SuspSignoutReq.A
- Trojan:Win32/HijackSharePointServer.A
Use Microsoft Defender for Endpoint: Defender for Endpoint can detect post-exploitation behaviors. Look for alerts like:
- “Possible web shell installation”
- “Suspicious IIS worker process behavior”
Isolate Servers If Necessary: If AMSI cannot be enabled or antivirus protection cannot be verified, Microsoft recommends temporarily disconnecting vulnerable SharePoint servers from the internet.

More details on mitigation can be found in the Microsoft MSRC blog post.

How to Detect Exploitation

Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770, Query:

DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

Additionally, review IIS logs for POST requests to the following endpoint:

/_layouts/15/ToolPane.aspx

If the request includes a Referer header pointing to:

/_layouts/SignOut.aspx

this could indicate attempted exploitation.

For more detailed analysis, Eye Security has published an excellent deep dive: SharePoint Under Siege.

Industry Alerts

Microsoft Security Response Center (MSRC) has issued an urgent advisory.
The Hacker News reports extensive in-the-wild exploitation.
Canada’s Cyber Centre confirms the vulnerability is impacting Canadian infrastructure.

Implications for MSPs and MSSPs

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) must take proactive measures to assess their clients’ SharePoint environments. Since many organizations still maintain hybrid or on-prem infrastructure, you may be the first and only line of defense against exploitation.

Key responsibilities include:

Identifying vulnerable assets across all managed clients
Verifying mitigation measures are in place
Implementing detection queries for threat hunting
Deploying emergency security policies

In many cases, you may also need to coordinate with internal or external IR teams to respond to active breaches.

This incident reinforces the importance of continuous monitoring, vulnerability management, and layered defense in hybrid Microsoft environments.

What You Should Do Now

Step	Action
1	Confirm if you're using on-premises SharePoint Server
2	Enable AMSI, install Defender Antivirus, and ensure Defender for Endpoint is running
3	Run threat-hunting queries and inspect IIS logs for anomalies
4	If protection isn't possible, disconnect from internet until patched
5	Stay informed through the MSRC blog and security feeds

Call to Action

If you manage multiple tenants or hybrid Microsoft 365 environments, streamline detection, monitoring, and remediation using Optimize365.io — the secure, centralized solution trusted by MSPs and MSSPs.