Updated:

A zero-day vulnerability in Microsoft Corp.’s SharePoint with no known patch is being exploited in the wild as security researchers warn that attackers are actively compromising servers across multiple sectors.

Update: On Monday, the company released a patch for the flaw and said SharePoint 2016 updates are coming.

The vulnerability, tracked as CVE-2025-53770 and dubbed “ToolShell,” affects on-premises versions of SharePoint Server 2016, 2019 and the Subscription Edition. The vulnerability stems from insecure deserialization that allows unauthenticated remote code execution, giving attackers the ability to to take control of servers without any credentials.

Microsoft confirmed active exploitation of the vulnerability on July 19 and has issued interim guidance as it works on a permanent fix.

The vulnerability is being leveraged in a coordinated campaign that was first observed by researchers at Eye Security B.V. on July 18. According to the researchers, attackers are using the flaw to deploy a malicious ASPX payload known as “spinstall0.aspx,” which extracts cryptographic machine keys used by SharePoint. Upon obtaining the keys, attackers can forge valid ViewState tokens and maintain persistent access, even after the servers are patched.

Eye Security estimates that at least 75 to 85 servers have already been compromised, with victims spanning government agencies, telecom firms, financial institutions, universities and energy providers.

An attack that seeks to exploit the vulnerability starts with a specially crafted POST request to SharePoint’s ToolPane.aspx endpoint that is also combined with a spoofed Referer header pointing to the SignOut.aspx page. The request then triggers the upload and execution of the spinstall0.aspx payload, which then provides access to the server’s ValidationKey and DecryptionKey.

Once an attacker has their hands on keys to server, they can bypass standard security measures and remotely execute commands as a trusted user.

Microsoft is urging administrators to enable AMSI integration and deploy Microsoft Defender Antivirus and Defender for Endpoint to detect and block known indicators of compromise. AMSI integration, or Antimalware Scan Interface integration, allows SharePoint to work with antivirus solutions like Microsoft Defender to scan and block malicious scripts and payloads in real time before they’re executed.

The U.S. Cybersecurity and Infrastructure Agency has also issued guidance on the vulnerability, noting that if AMSI cannot be enabled, SharePoint server users should disconnect affected products that are public-facing on the internet until official mitigations are available.

Analysts are also warning that mitigation alone is insufficient if compromise has already occurred, as attackers with access to machine keys can retain control. Full remediation requires key rotation, threat hunting and removal of any deployed web shells.

“CVE-2025-53770 is more than just another SharePoint flaw,” Rik Ferguson, vice president of security intelligence at cybersecurity firm Forescout Technologies Inc., told SiliconANGLE in an email. “It is a case study in what happens when legacy trust models meet modern threat actors. An authenticated user should never be treated as a guaranteed safe entity, but this vulnerability effectively grants code execution without requiring elevated privileges. For CISOs, this highlights a critical point: If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess.”

Steve Cobb, chief information security officer at SecurityScorecard Inc. advised that given the active exploitation of the vulnerability, organizations must take prompt action.

“First, organizations should immediately remove these potentially affected servers from public internet access until they can confirm that all servers are either patched and/or not compromised,” he said. “Then they can move on to patch all affected SharePoint versions immediately where updates are available. Servers that cannot be remediated should be isolated, and data recovery processes should be executed. Organizations should be careful to verify that backup and recovery data is not affected prior to the restoration process.”

Image: SiliconANGLE/Reve