Microsoft SharePoint Zero-Day Exploitation Campaign (CVE-2025-53770, CVE-2025-53771)

Source: TheHackerNews, Dark Reading, CSO Magazine, Krebs on Security

SharePoint Zero-Day Attack Visualization

Timeline:
• July 18, 2025 (6:00 PM CET): Active exploitation begins
• July 20, 2025: CISA adds CVE-2025-53770 to Known Exploited Vulnerabilities catalog
• July 21, 2025: Microsoft releases emergency patches for both vulnerabilities

Attack Vector: Sophisticated vulnerability chaining exploiting deserialization flaws in on-premises SharePoint Server. Attackers abuse CVE-2025-49706 (authentication bypass) combined with CVE-2025-49704 (code injection) to achieve unauthenticated remote code execution. The exploit chain, dubbed "ToolShell," involves sending crafted POST requests to /_layouts/15/ToolPane.aspx with spoofed Referer headers.

Threat Actor: Advanced persistent threat group with sophisticated reconnaissance capabilities targeting critical infrastructure, government entities, universities, and energy companies across multiple sectors.

Indicators of Compromise (IOCs):

spinstall0.aspx - Malicious ASPX payload file
POST requests to /_layouts/15/ToolPane.aspx
Spoofed Referer header: _layouts/SignOut.aspx
PowerShell execution for MachineKey extraction
Anomalous SharePoint service restarts

CVE References:
 • CVE-2025-53770 (CVSS 9.8): Remote code execution via deserialization of untrusted data in SharePoint Server
 • CVE-2025-53771 (CVSS 7.1): Spoofing vulnerability enabling path traversal in SharePoint
 • CVE-2025-49706 (CVSS 6.3): Authentication bypass vulnerability (chained)
 • CVE-2025-49704 (CVSS 8.8): Code injection vulnerability (chained)

MITRE ATT&CK Mapping:
• T1190 (Initial Access): Exploit Public-Facing Application
• T1059.001 (Execution): PowerShell execution for credential harvesting
• T1505.003 (Persistence): Web Shell deployment via ToolShell backdoor
• T1552.004 (Credential Access): Private Keys extraction (ASP.NET MachineKey)
• T1021.001 (Lateral Movement): Remote Services via compromised SharePoint integration

Analysis: This represents a critical supply chain attack targeting enterprise collaboration infrastructure. The sophistication of vulnerability chaining demonstrates advanced threat actor capabilities with deep understanding of SharePoint architecture. The theft of ASP.NET machine keys enables persistent access and lateral movement across integrated Microsoft services (Teams, OneDrive, Outlook). Organizations with internet-facing SharePoint servers should assume compromise and implement immediate containment measures.

For more breach intelligence reports and cybersecurity insights, visit CISOPlatform.com and sign up to be a member.

Nominate for Global CISO 100 Awards & Future CISO Awards (1-2 October Atlanta, USA): Nominate Your Peer

All Articles

Microsoft SharePoint Zero-Day Exploitation Campaign (CVE-2025-53770, CVE-2025-53771)

Microsoft SharePoint Zero-Day Exploitation Campaign (CVE-2025-53770, CVE-2025-53771)

Comments

Join The Community Discussion

Read More

Top Breaches in Cyber Security in 2025 – upcoming live panel

Weekly CISO Podcast Pick – Why Cyber Risk Fails: What CISOs Should Do Instead

Navigating Cybersecurity in 2026: A Deep Dive into Trends, Statistics and Strategies for Enterprises, SMBs & BFSI/NBFCs

Daily Breach Intelligence 26 November 2025 - Dartmouth College has confirmed that its Oracle EBS instance was compromised; New Critical CVE with unauthenticated RCE in broadcast infrastructure..

Note: this page contains paid content.

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Atlanta Chapter Meet: Build the Pen Test Maturity Model (Virtual Session)