A critical zero‑day vulnerability in Microsoft SharePoint software has been used to breach nearly 100 on‑premises servers worldwide, security researchers report. The flaw, tracked as CVE‑2025‑53770, allows attackers to execute code on vulnerable servers without authentication and extract cryptographic keys that grant persistent access.
Discovery and scope of the attack
Eye Security first detected the exploit on July 18, 2025, when a client’s intruder‑detection system flagged a suspicious .aspx upload on a SharePoint 2019 server. A joint scan with the Shadowserver Foundation revealed close to 100 compromised servers in the United States, Germany, and other countries. Many victims were government agencies, though private sector firms in energy, finance, healthcare, and industry also appeared on the list.
How the exploit works
The chain of attacks is based on two proof-of-concept bugs presented at the Pwn2Own contest in May: CVE 2025 49706 and CVE 2025 49704. The attackers send a forged POST request to the ToolPane.aspx endpoint that contains a forged header: Referer /SignOut.aspx. This goes around authentication and plants a malicious spinstall0.aspx web shell. Shell, then, will execute the code with the web server process and steal ASP.NET machine keys that will be able to decrypt authentication tokens and still be valid after reboots or patches.
Dangers of stolen keys
After gaining access to the machine keys, a bad actor is able to produce authentic session tokens for any user or service. They have the freedom of horizontal movement to other related programs like Outlook Teams and OneDrive, or leave behind backdoors at the cost of long-term spying. Applying the patch alone does not recall stolen keys and therefore the compromised servers will continue to be susceptible to an attack unless the operators rotate their cryptography keys and perform a complete forensic scan.
Microsoft response and patch status
Microsoft released security updates for SharePoint Server 2019 and SharePoint Subscription Edition on July 19, 2025, and is finalizing a fix for SharePoint 2016. The company advises immediate installation of these patches. Administrators must also rotate ASP.NET machine keys after patching to block any token‑based persistence by threat actors.
Mitigation recommendations
Until patches are applied, organizations should isolate on‑premises SharePoint servers from the internet and monitor IIS logs for suspicious requests to /ToolPane.aspx or unusual Referer headers. Shadowserver and CISA recommend assuming compromise and performing a thorough incident response, including key rotation token invalidation and review of connected Active Directory credentials.
This widespread intrusion highlights the importance of rapid patch management and the need to verify that updates truly remove attacker access. By following vendor guidance and taking extra steps to secure machine keys, enterprises can reduce the risk of continuing espionage on critical collaboration infrastructure.
