Microsoft SharePoint has critical severity, zero-day, remote code execution vulnerabilities (CVE-2025-53770 and CVE-2025-53771) impacting on-premises SharePoint that allows attackers to gain complete control of SharePoint servers without requiring credentials or bypassing multi-factor authentication. They do not impact SharePoint Online in Microsoft 365.
This is a Deserialization of Untrusted Data attack that allows the user to exploit a vulnerability through a combination of exposed ASP paths. Part of the development path appears to have been conducted using Gemini to fuzz one of the vulnerable paths.
SharePoint is the enterprise content sharing, creation, and management software, indispensable to any organization within the Microsoft tech ecosystem. It is the repository for an organization's most valuable data, as well as an entry point across their network for any other malicious activities.
These vulnerabilities represent a bypass of a security fix for the CVE-2025-49704 and CVE-2025-49706 vulnerabilities that Microsoft patched earlier this month. The exploit chain, dubbed "ToolShell," works by first dropping a malicious ASPX file that extracts cryptographic keys (ValidationKey and DecryptionKey) from the SharePoint server's configuration. These stolen keys then allow attackers to craft legitimate, signed ViewState payloads that execute arbitrary commands on the compromised system. Once exploited, attackers can access all SharePoint content, move laterally across Windows domains, and maintain persistent access even after patching.
What To Do
Apply patches immediately. If running affected versions, limit internet exposure, check for signs of compromise, and rotate credentials. See the Microsoft guidance for patching SharePoint, which includes additional guidance on:
- Ensuring antimalware scan technology is running.
- Deploying Microsoft Defender on potentially affected endpoints.
- Rotating SharePoint machine keys that may be compromised. Rotate ASP.NET machine keys to invalidate any previously stolen cryptographic material.
Resources
- Bitsight Cyber Threat Intel Flash Report
- Eye Security, “SharePoint 0-day uncovered (CVE-2025-53770)”
- Microsoft, “Customer guidance for SharePoint vulnerability CVE-2025-53770”
- July 21, 2025: Published.
Feedback
0 comments
Please sign in to leave a comment.