UPDATE, 3:05 Pacific: This story has been updated to reflect Mandiant's assessment that a China-nexus threat actor was responsible for one of the early exploitations of the SharePoint zero-day. Federal agencies must patch actively exploited zero-day flaws on Microsoft's SharePoint servers before the day is over on July 21 after the Cybersecurity and Infrastructure Security Agency (CISA) placed the 9.8 vulnerability on its Known Exploited Vulnerabilities (KEV) catalog.The move by CISA was in the backdrop of the Washington Post reporting that in exploiting the remote code execution (RCE) vulnerability, unspecified attackers launched a global cyberattack, breaching U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company.The FBI offered no real details on the ongoing case. A spokesperson told SC Media the FBI is aware of the matter, its working closely with federal government and private sector partners.Microsoft said “they’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally.”For security teams looking for guidance, CISA required all federal civilian agencies to patch by end-of-day July 21 and advised organizations of all stripes to apply the emergency out-of-band patches Microsoft issued because CVE-2025-53770 has been exploited in the wild.In its advisory, CISA recommended that teams configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Microsoft Defender AV on all SharePoint Servers.CISA added that if teams can’t apply AMSI integration, they should disconnect affected products that are public-facing on the internet from service until official mitigations are available.The emergency patches only apply to Microsoft SharePoint Server products, SharePoint online (Microsoft 365) was not affected."While the scope and impact continue to be assessed, the new CVE-2025-53770 is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers,” said Chris Butera, CISA’s acting executive director for cybersecurity. "CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.”
Kratu added that if an organization’s SharePoint is exposed online, assume compromise. Kratu said attackers are already chaining the zero-day deserialization flaw that enables RCE with older vulnerabilities such as CVE-2025-49704/49706 in a campaign.Once inside, Kratu said attackers are bypassing MFA/SSO, stealing cryptographic keys, exfiltrating sensitive data, and planting persistent backdoors. Because SharePoint is tightly integrated with the broader Microsoft ecosystem, lateral movement is fast and far-reaching, said Kratu, from Teams, OneDrive, and Outlook to Azure AD, Exchange, and Office apps. “A foothold in SharePoint can expose credentials, documents, meeting content, and email, turning one exploited server into a full enterprise breach,” said Kratu.Ryan Dewhurst, head of proactive threat intelligence at watchTowr, added their data shows exploitation across hundreds of organization. Dewhurst said initial scans began hitting the internet on July 16 and by July 17 and 18, exploitation was in full swing, prompting Microsoft’s official public advisory on July 19.Based on their telemetry and industry partnerships, the United States, Germany, France, and Australia are currently bearing the brunt of exploitation activity, said Dewhurst. There is likely to be slight bias towards countries where usage of on-premise Microsoft SharePoint is clustered, but the reality is not debatable.“This is going global fast," said Dewhurst. "The original CVE-2025-49706 vulnerability was first reported at the Pwn2Own hacking contest in Berlin on July 8, where a team found a vulnerability in SharePoint and chained it with a separate authentication bypass vulnerability. It didn’t take long after that until CVE-2025-53770 came along, which we believe to be an evolution of that vulnerability — however, 53770 reflects a bypass around Microsoft’s original patch.”Nic Adams, co-Founder and CEO at 0rcus, explained that CVE‑2025‑53770 is a post‑authentication deserialization flaw in SharePoint’s ASP.NET ViewState processing that bypasses the July “ToolShell” fixes.Adams said it permits arbitrary code execution under the SharePoint service account, which typically holds local‑system privileges and default database owner rights. Public exploit code chains this bug with the previously patched CVE‑2025‑49706 to regain unauthenticated access, restoring the full ToolShell RCE path.“CISA added the CVE to KEV because active exploitation has been documented across federal and Fortune 500 environments and weaponization requires trivial modification of published ToolShell payloads,” Adams said.Here’s how the attack works: Attackers upload a crafted .aspx page (e.g., spinstall0.aspx) into the
Exploit of 'ToolShell' flaw is 'full enterprise breach' via SharePoint
The new flaw, publicly reported as “ToolShell,” provides unauthenticated access to systems and lets malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. “This isn’t an ‘apply the patch and you’re done’ situation,” said Charles Carmakal, chief technology officer at Mandiant Consulting-Google Cloud, in a LinkedIn post. “Organizations need to implement mitigations right away and the patch when available, assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions. If your organization has on-premises Microsoft SharePoint that’s exposed to the internet, you have urgent homework to do.”Carmakal added late Monday that Mandiant assessed that at least one of the actors responsible for early exploitation of the SharePoint zero-day is a China-nexus threat actor."It's critical to understand that multiple actors are now actively exploiting this vulnerability," said Carmakal. "We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well." Sagy Kratu, principle cybersecurity strategist at Vicarius, agreed that CVE-2025-53770 isn’t just another CVE: It’s an active breach vector with national-level consequences.“Microsoft confirmed ongoing exploitation of SharePoint on-prem servers, CISA added it to the KEV list, and federal agencies are racing to patch,” said Kratus. “The FBI and DOD Cyber Command are involved. That says everything.”Kratu added that if an organization’s SharePoint is exposed online, assume compromise. Kratu said attackers are already chaining the zero-day deserialization flaw that enables RCE with older vulnerabilities such as CVE-2025-49704/49706 in a campaign.Once inside, Kratu said attackers are bypassing MFA/SSO, stealing cryptographic keys, exfiltrating sensitive data, and planting persistent backdoors. Because SharePoint is tightly integrated with the broader Microsoft ecosystem, lateral movement is fast and far-reaching, said Kratu, from Teams, OneDrive, and Outlook to Azure AD, Exchange, and Office apps. “A foothold in SharePoint can expose credentials, documents, meeting content, and email, turning one exploited server into a full enterprise breach,” said Kratu.Ryan Dewhurst, head of proactive threat intelligence at watchTowr, added their data shows exploitation across hundreds of organization. Dewhurst said initial scans began hitting the internet on July 16 and by July 17 and 18, exploitation was in full swing, prompting Microsoft’s official public advisory on July 19.Based on their telemetry and industry partnerships, the United States, Germany, France, and Australia are currently bearing the brunt of exploitation activity, said Dewhurst. There is likely to be slight bias towards countries where usage of on-premise Microsoft SharePoint is clustered, but the reality is not debatable.“This is going global fast," said Dewhurst. "The original CVE-2025-49706 vulnerability was first reported at the Pwn2Own hacking contest in Berlin on July 8, where a team found a vulnerability in SharePoint and chained it with a separate authentication bypass vulnerability. It didn’t take long after that until CVE-2025-53770 came along, which we believe to be an evolution of that vulnerability — however, 53770 reflects a bypass around Microsoft’s original patch.”Nic Adams, co-Founder and CEO at 0rcus, explained that CVE‑2025‑53770 is a post‑authentication deserialization flaw in SharePoint’s ASP.NET ViewState processing that bypasses the July “ToolShell” fixes.Adams said it permits arbitrary code execution under the SharePoint service account, which typically holds local‑system privileges and default database owner rights. Public exploit code chains this bug with the previously patched CVE‑2025‑49706 to regain unauthenticated access, restoring the full ToolShell RCE path.“CISA added the CVE to KEV because active exploitation has been documented across federal and Fortune 500 environments and weaponization requires trivial modification of published ToolShell payloads,” Adams said.Here’s how the attack works: Attackers upload a crafted .aspx page (e.g., spinstall0.aspx) into the
/_layouts/ directory via legacy SOAP endpoints, invoke it to harvest machine keys, then replay signed ViewState payloads to run command shells or PowerShell download‑cradles. Detection lag is high because traffic presents as legitimate SharePoint user activity.Adams said teams should do the following in response:- Apply KB5002754 (Server 2019); isolate Server 2016 until its patch ships.
- Rotate ASP.NET machine keys (
Update‑SPMachineKey) after patching to invalidate stolen keys. - Enable AMSI integration and real‑time Defender Antivirus scanning on every WFEs and application server.
- Hunt for IOCs: presence of spinstall0.aspx, IIS POSTs to
_layouts/15/ToolPane.aspxwith referer_layouts/SignOut.aspx, or file events matching Microsoft’s Defender query. Compromised hosts require full forensic imaging; simple deletion of the file is insufficient.




