Critical security vulnerabilities in Microsoft SharePoint servers have been weaponized as part of an “active and massive” exploitation campaign.
The zero-day flaw tracked as CVE-2025-53770 (CVSS score: 9.8) is described as a variant of CVE-2025-49706 (CVSS score: 6.3).
“The untrusted data descent on on-premises Microsoft SharePoint Server allows unauthorized attackers to execute code over the network,” Microsoft said in an advisory released on July 19, 2025.
The Windows manufacturer also noted that they have prepared and fully tested a comprehensive update to resolve the issue. He praised Viettel Cyber Security for discovering and reporting defects through Trend Micro’s Zero Day Initiative (ZDI).
In another alert issued Saturday, Redmond said he was aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 will not be affected.
If there is no official patch, Microsoft has configured Antimalware Scan Interface (AMSI) integration in SharePoint, urging customers to deploy Defender AV on all SharePoint servers.
Please note that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
For those who cannot enable AMSI, we recommend that your SharePoint server be disconnected from the Internet until security updates are available. For additional protection, users are encouraged to deploy the endpoint’s defender to detect and block post-exposure activity.
This disclosure warned of attacks that Eye Security and Palo Alto Networks Unit 42 check CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8) and warned that it was a flaw in code injection in SharePoint. The exploit chain is called the toolshell.
However, given that CVE-2025-53770 is a “variant” of CVE-2025-49706, these attacks are suspected to be related.
Malicious activity essentially involves delivering ASPX payloads via PowerShell. Use PowerShell to steal MachineKey configurations for SharePoint Server, including VeridationKey and DecryptionKey, and maintain persistent access.
The Dutch cybersecurity company said these keys are important to generate valid __ViewState payloads and effectively convert authenticated SharePoint requests to remote code execution opportunities to gain access to them.
“We are still identifying a large amount of exploit waves,” Eye Security CTO Piet Kerkhofs told Hacker News in a statement. “This has a huge impact as it uses this remote code execution at speed and moves horizontally.”
“We identified a malicious web shell on our SharePoint servers and notified 75 compromised organizations. This group has large corporations and large government agencies all over the world.”
It is worth noting that Microsoft has not yet updated its recommendations for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We also contacted the company for further clarification. If you’ve heard of it, update the story.
(The story is developing. Please check again for more details.)
Source link
