Attackers are exploiting a previously unknown vulnerability in Microsoft SharePoint Server, with security researchers confirming dozens of servers compromised globally since attacks began on July 18.
While the company’s July security update only partly addresses the problem, there are a couple of additional configuration changes enterprises can make to fully protect themselves, the company said in a statement issued Saturday.
To counter the new vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, Microsoft has recommended enabling the AMSI integration feature and using Microsoft Defender across SharePoint Server farm(s) to protect against this vulnerability.
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,” the company said in a statement issued Saturday. “These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.”
The zero-day exploit represents a critical threat to enterprise operations as it allows unauthorized attackers to execute code remotely without authentication, potentially giving cybercriminals complete control over affected systems. “This zero-day vulnerability challenges the long-standing enterprise assumption that collaboration infrastructure can be patched on convenience cycles,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.
Vulnerability chaining exposes critical security gaps
The attacks exploit a sophisticated vulnerability chain that security experts say reveals fundamental flaws in how vendors approach comprehensive threat assessment. “While Microsoft issued individual patches for CVE-2025-49706 and CVE-2025-49704, they failed to patch the exploit chain fully, leaving a variant (now CVE-2025-53770) unaddressed,” said Sunil Varkey, advisor at Beagle Security.
“In cybersecurity, a single vulnerability can pose a significant risk, but when vulnerabilities are combined, the consequences can be catastrophic,” Varkey explained. “This wasn’t just a technical miss. It was a strategic failure to recognize how the individual parts combined to form something far more dangerous.”
The zero-day exploit transitioned from researcher discovery to real-world attacks within 72 hours despite no official exploit code being released. “This incident reveals a growing pattern: partial technical disclosures are sufficient for sophisticated adversaries to reconstruct and launch targeted exploits,” Gogia noted.
Enterprise impact escalates as security keys are compromised
The attack’s sophistication poses particular risks for enterprise environments where SharePoint serves as a central hub for document collaboration and workflow management. Unlike traditional web attacks focused on simple command execution, this exploit specifically targets SharePoint’s cryptographic infrastructure to maintain persistent access.
As part of the exploitation, attackers upload a file named “spinstall0.aspx,” which is used to steal the Microsoft SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, security researchers reported. “Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads,” Eye Security explained in its analysis.
Dutch cybersecurity firm Eye Security, which first identified the mass exploitation campaign, discovered the attacks began systematically targeting vulnerable servers on July 18, around 6:00 PM Central European Time. “Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath,” Eye Security researchers said in their analysis.
The severity of the threat prompted rapid federal action, with CISA adding CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on Sunday, just two days after active exploitation was confirmed. “BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats,” the agency noted in its advisory, giving federal agencies until July 21 to implement mitigations.
Cloud migration gains urgency following differential impact
CVE-2025-53770 did not affect Microsoft’s cloud-hosted SharePoint Online service — only its on-premises versions. This divergence has renewed enterprise interest in cloud migration for collaboration platforms, analysts said.
“SharePoint Online’s immunity was not an accident. It was the result of a controlled service plane with centralised telemetry, integrated threat response, and automated patching,” Gogia explained. “The lesson is clear: secure-by-design architectures are no longer optional. They are fundamental.”
For enterprises unable to immediately migrate, immediate mitigation steps are critical. “To protect your on-premises SharePoint Server environment, we recommend that customers configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability,” Microsoft explained in its advisory.
“If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available,” Microsoft added. The company also emphasized the critical importance of rotating SharePoint server ASP.NET machine keys and restarting IIS services after applying security updates.
The vulnerability chain, known as “ToolShell,” combines two previously disclosed security flaws that were originally demonstrated at the Pwn2Own Berlin security conference in May. While Microsoft addressed those original vulnerabilities, cybercriminals quickly developed variants that bypass the fixes.
“Microsoft might have missed anticipating this due to incomplete patch validation, inadequate threat modeling of vulnerability chaining, limited adversarial testing, and the rapid evolution of exploits following public disclosure,” Varkey explained.
Enterprise response strategy
Both the advisories of Microsoft and CISA suggested that enterprise security teams should immediately assess potential compromise and implement comprehensive monitoring capabilities. Organizations must conduct thorough reviews for signs of unauthorized access, as SharePoint’s integration with core Microsoft services, including Outlook, Teams, and OneDrive, means a successful breach can rapidly escalate to broader network compromise through lateral movement and credential harvesting.
“Security response must now encompass live detection of anomalous access patterns, automated secret rotation, and continuous exploit monitoring,” Gogia advised. “Treating CVE notifications as passive inputs is no longer acceptable. Organisations must activate threat response the moment exploit potential becomes visible in the ecosystem.”