Active attacks target Microsoft SharePoint zero-day affecting on-premises servers

Duncan Riley
2025-07-20 18:41:00
siliconangle.com

A zero-day vulnerability in Microsoft Corp.’s SharePoint with no known patch is being exploited in the wild as security researchers warn that attackers are actively compromising servers across multiple sectors.

The vulnerability, tracked as CVE-2025-53770 and dubbed “ToolShell,” affects on-premises versions of SharePoint Server 2016, 2019 and the Subscription Edition. The vulnerability stems from insecure deserialization that allows unauthenticated remote code execution, giving attackers the ability to to take control of servers without any credentials.

Microsoft confirmed active exploitation of the vulnerability on July 19 and has issued interim guidance as it works on a permanent fix.

The vulnerability is being leveraged in a coordinated campaign that was first observed by researchers at Eye Security B.V. on July 18. According to the researchers, attackers are using the flaw to deploy a malicious ASPX payload known as “spinstall0.aspx,” which extracts cryptographic machine keys used by SharePoint. Upon obtaining the keys, attackers can forge valid ViewState tokens and maintain persistent access, even after the servers are patched.

Eye Security estimates that at least 75 to 85 servers have already been compromised, with victims spanning government agencies, telecom firms, financial institutions, universities and energy providers.

An attack that seeks to exploit the vulnerability starts with a specially crafted POST request to SharePoint’s ToolPane.aspx endpoint that is also combined with a spoofed Referer header pointing to the SignOut.aspx page. The request then triggers the upload and execution of the spinstall0.aspx payload, which then provides access to the server’s ValidationKey and DecryptionKey.

Once an attacker has their hands on keys to server, they can bypass standard security measures and remotely execute commands as a trusted user.

With no patch available, Microsoft is urging administrators to enable AMSI integration and deploy Microsoft Defender Antivirus and Defender for Endpoint to detect and block known indicators of compromise. AMSI integration, or Antimalware Scan Interface integration, allows SharePoint to work with antivirus solutions like Microsoft Defender to scan and block malicious scripts and payloads in real time before they’re executed.

The U.S. Cybersecurity and Infrastructure Agency has also issued guidance on the vulnerability, noting that if AMSI cannot be enabled, SharePoint server users should disconnect affected products that are public-facing on the internet until official mitigations are available.

Analysts are also warning that mitigation alone is insufficient if compromise has already occurred, as attackers with access to machine keys can retain control. Full remediation requires key rotation, threat hunting and removal of any deployed web shells.

Image: SiliconANGLE/Reve

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+

CUBE Alumni Network

C-level and Technical

Domain Experts

Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.

Source Link

Enjoy the perfect blend of retro charm and modern convenience with the Udreamer Vinyl Record Player. With 9,041 ratings, a 4.3/5-star average, and 400+ units sold in the past month, this player is a fan favorite, available now for just $39.99.

The record player features built-in stereo speakers that deliver retro-style sound while also offering modern functionality. Pair it with your phone via Bluetooth to wirelessly listen to your favorite tracks. Udreamer also provides 24-hour one-on-one service for customer support, ensuring your satisfaction.

Don’t miss out—get yours today for only $39.99 at Amazon!

Unlock unlimited streaming with a free Amazon Prime trial!
Sign up today!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!

BITCOIN

Bitcoin Logo