A newly discovered zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is currently being exploited in active attacks against on-premises environments. The flaw, rated CVSS 9.8 (Critical), allows unauthenticated remote code execution (RCE) and poses a severe threat to any organization running an on-prem SharePoint instance.
Microsoft has confirmed that this vulnerability is being used in the wild and is the result of deserialization of untrusted data, a class of vulnerability that has led to numerous high-profile breaches in recent years. The issue affects only on-premises versions of SharePoint Server—SharePoint Online (Microsoft 365) is not impacted.
Key Details:
- Severity: Critical (CVSS 9.8)
- Status: Actively Exploited | No Patch Available
- Impact: Remote Code Execution (Unauthenticated)
- Affected: On-Premises Microsoft SharePoint Server
- Unaffected: SharePoint Online (Microsoft 365)
Exploitation Campaign and Impact
The exploitation of CVE-2025-53770 appears to be an evolution of the previously disclosed CVE-2025-49706, one of two flaws used in the so-called ToolShell exploit chain revealed at Pwn2Own Berlin earlier this year.
The current campaign has already compromised at least 85 SharePoint servers worldwide, spanning 29 different organizations, including multinational enterprises and government entities, as confirmed by Microsoft.
Attackers are abusing the way SharePoint handles the deserialization of objects in memory, allowing them to execute arbitrary code before authentication even occurs. By injecting a malicious .aspx file (typically named spinstall0.aspx) into the server, threat actors can extract sensitive cryptographic materials such as the ValidationKey and DecryptionKey.
With these keys, attackers can forge legitimate-looking __VIEWSTATE payloads to gain persistent, remote code execution access without triggering standard authentication controls.
This approach makes detection difficult and remediation even more complex. Even after the vulnerability is patched, systems may remain at risk if the stolen cryptographic secrets are not rotated.
Mitigation Steps (No Patch Yet)
At the time of publication, no official patch has been released. Microsoft has acknowledged the issue and is working on a security update. For more details, please read their official guidance on the matter here.
In the meantime, organizations are urged to apply immediate mitigations to prevent exploitation.
The most effective countermeasure currently available is enabling AMSI (Antimalware Scan Interface) integration in SharePoint, combined with deploying Microsoft Defender Antivirus and Microsoft Defender for Endpoint across all SharePoint servers.
AMSI has been enabled by default since September 2023 for SharePoint Server 2016, 2019, and Subscription Edition (version 23H2), but configurations should still be verified.
If AMSI cannot be enabled in your environment, Microsoft strongly recommends disconnecting vulnerable SharePoint servers from the internet until a patch is available.
Indicators of Compromise (IOCs)
Organizations should inspect their systems for evidence of compromise immediately. Microsoft has provided guidance for detecting exploitation, including telemetry queries for environments using Microsoft 365 Defender.
| Type | Value |
|---|---|
| File Path | spinstall0.aspx |
| IP Address | 107.191.58[.]76 |
| IP Address | 104.238.159[.]149 |
| IP Address | 96.9.125[.]147 |
| IIS Logs | POST to _layouts/15/ToolPane.aspx with referer _layouts/SignOut.aspx |
If any of these IOCs are detected, assume compromise. Immediately isolate affected systems and perform thorough forensic investigation for lateral movement.
OP Innovate Recommendation
Organizations using on-premises SharePoint Server should treat this threat as an active incident and respond accordingly. If AMSI is not enabled in your environment or if you are unsure whether your system has been compromised, now is the time to act.
OP Innovate’s incident response team is ready to assess impact, contain the threat, and provide guidance on remediation and hardening. Our expertise in handling complex post-exploitation scenarios, including deserialization and .NET-based persistence, ensures a rapid and thorough response.
If you suspect your SharePoint environment may be vulnerable or already compromised, contact us immediately.
Stay Safe. Stay Secure.
OP Innovate Research Team
