Mass Exploitation of Microsoft SharePoint Zero-Days

Microsoft has confirmed the active exploitation of two vulnerabilities in SharePoint Server: CVE-2025-53770 and CVE-2025-53771. CVE-2025-53770 is a deserialization vulnerability that enables remote code execution without authentication, allowing an attacker to execute arbitrary code over a network. NIST describes it as “Deserialization of untrusted data in on-premises Microsoft SharePoint Server.” The related CVE-2025-53771 is a path traversal flaw that permits an authorized attacker to perform spoofing. Microsoft and security firms including Eye Security and Rapid7 report exploitation began on July 18, with Eye Security observing compromises across dozens of SharePoint servers during two major waves of attack on July 18 and July 19. These zero-day exploits bypass earlier protections and have triggered Microsoft to release emergency out-of-band patches for affected SharePoint Server versions.

The exploitation chain starts with a crafted HTTP POST request to "/_layouts/15/ToolPane.aspx?DisplayMode=Edit," spoofed to appear as originating from "/_layouts/SignOut.aspx," even though no authenticated session is established. The request results in the creation of a malicious ASPX file "spinstall0.aspx," written to the path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\." According to Eye Security and Rapid7, the IIS worker process ("w3wp.exe") spawns a "cmd.exe" instance, which then executes a base64-encoded PowerShell command. This payload extracts cryptographic secrets from the server, specifically the SharePoint ValidationKey and DecryptionKey, enabling attackers to forge authenticated "__VIEWSTATE" tokens and execute arbitrary commands via deserialization, achieving full remote code execution.

Indicators of compromise include the presence of the "spinstall0.aspx" file and corresponding IIS logs showing POST requests to the ToolPane path with "SignOut.aspx" as the referer. Rapid7 reports that this behavior "w3wp.exe" spawning "cmd.exe" and "powershell.exe -EncodedCommand" is anomalous and should be treated as a strong signal of exploitation. Analysis of the ASPX payload reveals it was likely created with the SharpyShell framework and focuses on extracting cryptographic materials rather than establishing command-and-control persistence. This technique mirrors attack logic from previous deserialization vulnerabilities like CVE-2021-28474 but now leverages leaked keys for exploitation, eliminating the need for credential theft.

Microsoft has released emergency updates for SharePoint Server Subscription Edition (KB5002768) and SharePoint Server 2019 (KB5002754). SharePoint Server 2016 remains without a patch at this time. As mitigation, Microsoft, CISA, and Rapid7 recommend enabling AMSI integration, deploying Microsoft Defender Antivirus or equivalent endpoint protection, and rotating ASP[.]NET machine keys after patching. CISA additionally recommends disconnecting vulnerable systems from the internet if AMSI cannot be enabled. For detection and hunting, organizations should review IIS logs for unusual POST activity to "ToolPane.aspx," scan for known malicious IPs, and search for the presence of the "spinstall0.aspx" file in SharePoint server paths. The situation is ongoing, and additional guidance is expected as further analysis emerges.