Massive SharePoint zero-day exploit threatens thousands of companies

Dozens of organizations are being targeted by hackers exploiting a critical zero-day vulnerability in Microsoft SharePoint. The tech giant has released emergency patches.

Hackers are actively exploiting a critical SharePoint remote code execution (RCE) vulnerability to place backdoors on SharePoint servers, which enables them to steal security keys and take over systems.

Dozens of servers have already been compromised, and thousands more are exposed online.

ShadowServer Foundation sees around 9,300 SharePoint IP addresses exposed every day. Most of them are in the US (3,043), followed by the Netherlands (541), Ireland (695), the United Kingdom (541), Canada (495), Germany (338), and other countries.

Microsoft is aware of active attacks. Emergency patches are now available for all supported on-premises SharePoint Server versions: Subscription Edition, 2019, and 2016. SharePoint Online is not affected.

Cybersecurity authorities and Microsoft are urging users to apply the updates immediately. The CISA told federal agencies to disconnect affected products from service if they can’t be properly secured.

Microsoft assesses that the severity of the flaw, labeled CVE-2025-53770, is 9.8 out of 10.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” the advisory reads.

Hackers are compromising dozens of servers

Security firm Eye Security, which was the first to identify and alert about an active large-scale exploitation of the flaw on July 18th, 2025, said that dozens of SharePoint servers have already been compromised. Subsequent waves of exploitation followed since then.

The researchers dubbed the vulnerability chain “ToolShell” and warned that it is systemic, malicious code is dropped automatically, and grants full persistence with zero authentication required. Attackers are bypassing identity protections such as multi-factor authentication (MFA) or single sign-on (SSO).

“Within hours, we identified more than dozens of separate servers compromised,” the researchers write.

“In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access.”

The firm told Bleeping Computer it has identified over 85 servers belonging to 54 organizations, including California state, a private energy sector operator in California, a federal government health organization, a private AI tech company, a private Fintech company in New York state, and a state government organization in Florida.

“These payloads can embed any malicious commands and are accepted by the server as trusted input, completing the RCE chain without requiring credentials,” Eye Security explains.

“Once inside, they can access all SharePoint content, system files, and configurations and move laterally across the Windows Domain,” the firm added.

The theft of cryptographic keys allows attackers to impersonate users or services on the network, even if the server is later patched. Therefore, patching alone will not solve the issue.

Palo Alto Networks also warned that attackers behind the campaign are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing machine keys to maintain persistent access. ASPX is an extension for web page files used by Microsoft’s ASP.NET to deliver dynamic content from the server to the browser.

“Patch immediately. These exploits are real, in-the-wild, and pose a serious threat,” Palo Alto Networks said.

Governments targeted the most

It now appears that ToolShell exploitation is older and broader than initially believed. The first signs of the exploitation were identified on July 7th by the Check Point Research team.

“Since then, we’ve confirmed dozens of compromise attempts across government, telecommunications, and software sectors in North America and Western Europe,” the new report reads.

According to Check Point Research, government organizations are the most targeted with 49% of victims falling into this sector. Software and telecommunications sectors absorbed 24% and 9% of attacks respectively.

Attackers are mostly interested in North American and Western European targets. Thirty-two percent of attacks affect US organizations, followed by Portugal (12%), Canada (9%), Belgium (6%), Germany (6%), and other countries.

Three distinct exploit variants

Palo Alto Networks researchers have identified multiple exploit code examples posted on GitHub and three different variations of exploitation activity.

The first variation relies on a command shell command that uses PowerShell to find web.config files. The contents of these configurations are then copied and saved into a single file named debug_dev.js.

The second variation uses IIS Process Worker (w3wp.exe) to run Base64-encoded PowerShell command, which then creates a web shell file named spinstall0.aspx. This file is designed to retrieve server validation and decryption keys.

The third method, nearly identical to the second, writes the spinstall0.aspx file to a different directory and uses single-character variable names in its script, calls a sleep function at the end.

The advisory also lists 11 IP addresses detected participating in the attacks.

The zero-day chain is a variant of a previously patched flaw

Security experts noted that the chains of the two newly disclosed zero-day (CVE-2025-53770 and CVE-2025-53771) are variants of the previously disclosed exploit chain, patched by Microsoft (CVE-2025-49704 and CVE-2025-49706). The two previous flaws were demonstrated during the Berlin Pwn2Own hacking contest, earning the researchers second place.

“The attack begins with a specially crafted POST request sent to a server endpoint. Successful exploitation allows the attacker to upload a malicious webshell (spinstall0.aspx), which is then used to steal the server's unique MachineKey. With these keys, the attacker can forge trusted payloads to execute arbitrary code, establish persistence, and move laterally within a network,” said Lorri Janssen-Anessi, Director of External Cyber Assessments at BlueVoyant.

How to respond to the threat?

Microsoft urges SharePoint admins to only use supported SharePoint Server versions and to apply the security updates immediately.

“Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly,” Microsoft also said.

“Enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers, which will stop unauthenticated attackers from exploiting this vulnerability.”

If AMSI cannot be enabled, Microsoft recommends considering disconnecting the affected server from the internet until a security update is available.

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should apply…

undefined Security Response (@msftsecresponse) July 21, 2025

After applying the latest security updates and/or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS (Microsoft’s web server software) on all SharePoint servers.

“Patching alone does not solve the issue – you need to rotate the cryptographic material, allowing all future IIS tokens that can be created by the malicious actor to become invalid,” Eye Security warns.

“Attackers can maintain persistence through backdoors or modified components that survive reboots and updates.”

SharePoint often connects to Outlook, Teams, OneDrive, and other core services. This means that a compromise can lead to data theft, password harvesting, and lateral movement across the network.

The firm recommends isolating or shutting down all affected SharePoint servers – blocking via firewall is not enough, as persistence may already exist.

The US Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies only one day to apply the patches and secure the affected servers or disconnect them, after including the zero-day flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Additionally, CISA recommends monitoring for ToolPane access by watching for POST requests to “/_layouts/15/ToolPane.aspx?DisplayMode=Edit” and check logs for malicious connections from three IPs: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147.

However, attackers appear to be using other IPs as well.

“Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior,” CISA said.

“Implement comprehensive logging to identify exploitation activity. … Audit and minimize layout and admin privileges.”

Updated on July 22nd [10:40 a.m. GMT] with additional information