A severe security flaw in Microsoft SharePoint Server is being actively exploited in a widespread attack campaign.
The vulnerability, tracked as CVE-2025-53770 (CVSS 9.8), is a variant of CVE-2025-49706 (CVSS 6.3), a spoofing bug patched earlier this month. According to Microsoft’s advisory issued July 19, 2025, the flaw allows unauthorized remote code execution through deserialization of untrusted data in on-premises SharePoint Server.
Microsoft’s response:
Microsoft has acknowledged the vulnerability and confirmed that no patch is currently available, but that its Security Response Center is “actively working to release a security update” and will provide further guidance as it becomes available. Microsoft confirmed that SharePoint Online (Microsoft 365) is unaffected. The company is working on a comprehensive security update.
What you should do now:
In the meantime, customers are urged to:
- Enable Antimalware Scan Interface (AMSI) integration in SharePoint. Read HERE
- Deploy Microsoft Defender Antivirus on all SharePoint servers.
- If AMSI cannot be enabled, consider disconnecting affected servers from the internet until a patch is released.
Why This Is Serious:
Eye Research, the team that discovered the vulnerability, reports that attackers can remotely execute code on affected SharePoint servers without needing authentication. Once inside, they can bypass protections like multi-factor authentication (MFA) or single sign-on (SSO) and gain unrestricted access to:
- All SharePoint content
- System files and configurations
- Other systems on the same Windows domain (lateral movement)
Even more concerning is that attackers may steal cryptographic keys, allowing them to impersonate users and services. This means that even after Microsoft releases a patch, organizations will need to rotate all secrets and keys to fully secure their environments.
Because SharePoint often connects to other Microsoft services—such as Outlook, Teams, and OneDrive—the breach potential extends beyond SharePoint itself. Exploitation could lead to data theft, password harvesting, and broader network compromise.
AMSI integration is already enabled by default for SharePoint Server 2016/2019 (September 2023 update) and SharePoint Server Subscription Edition (Version 23H2). For organizations unable to enable AMSI, Microsoft advises disconnecting vulnerable servers from the internet until a patch is available. Microsoft Defender for Endpoint is also recommended for detecting and blocking post-exploitation activity.
Cybersecurity firms Eye Security and Palo Alto Networks Unit 42 have observed attackers chaining CVE-2025-49706 and CVE-2025-49704 (a code injection flaw, CVSS 8.8) to enable arbitrary command execution, in a campaign codenamed ToolShell. Since CVE-2025-53770 is a variant of CVE-2025-49706, these attacks appear closely related.
Attackers reportedly deliver malicious ASPX payloads via PowerShell, targeting and stealing the MachineKey configuration (ValidationKey and DecryptionKey) from compromised SharePoint servers. This grants persistent access and allows attackers to transform any authenticated SharePoint request into a remote code execution (RCE) opportunity.
Eye Security CTO Piet Kerkhofs stated:
“We are still identifying mass exploitation waves. Adversaries are moving quickly using this RCE vulnerability. We’ve notified nearly 75 breached organizations, including major companies and government agencies worldwide.”
Although the Microsoft Security Response Center has said it is “actively working to release a security update” and will “provide additional details as they are available,” no patch is available at this time.
Read The Microsoft Advisory HERE
Read Eye Security Report HERE
About Eye Security
Eye Security, headquartered in the Netherlands protects small and medium-sized European businesses from cyber threats by combining continuous endpoint monitoring, employee awareness programs, 24/7 incident response, and cyber insurance into a single, comprehensive service.
