Microsoft SharePoint Zero-Day Exploited in RCE Attacks – No Fix Yet
▼ Summary
– Two critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) are actively exploited, compromising at least 85 servers globally with no initial patch available.
– Microsoft released emergency updates for SharePoint 2019 and Subscription Edition but has not yet patched SharePoint 2016, urging admins to apply mitigations like AMSI integration and Defender AV.
– Attackers exploit these flaws to upload malicious files (e.g., spinstall0.aspx) and steal SharePoint’s MachineKey, enabling remote code execution via tampered ViewState payloads.
– CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within one day of release.
– Over 54 organizations, including government and private sector entities, were breached, with exploitation traced to specific IP addresses and detectable via IIS logs or file system checks.
Microsoft SharePoint is under active attack through newly discovered zero-day vulnerabilities, putting organizations at risk of remote code execution (RCE) attacks. Security teams worldwide are scrambling to implement mitigations as threat actors exploit these flaws before patches become available.
Researchers have identified two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, being used in attacks against on-premises SharePoint servers. These flaws bypass earlier fixes Microsoft issued in July for related vulnerabilities (CVE-2025-49704 and CVE-2025-49706), which were originally demonstrated at Pwn2Own Berlin.
Microsoft has confirmed active exploitation, with at least 85 servers compromised globally. While SharePoint Online remains unaffected, organizations running on-premises deployments must act immediately. Emergency updates are available for SharePoint Server 2019 (KB5002754) and SharePoint Subscription Edition (KB5002768), but a patch for SharePoint 2016 is still pending.
Mitigations for Unpatched Systems For servers without immediate patch access, Microsoft recommends:
- Enabling AMSI (Antimalware Scan Interface) to detect malicious scripts in real time.
- Deploying Microsoft Defender AV for additional protection.
- Rotating ASP.NET machine keys to prevent command execution on compromised servers.
Admins can rotate keys manually via PowerShell (`Update-SPMachineKey`) or through Central Administration by triggering the Machine Key Rotation Job. After rotation, restarting IIS with `iisreset.exe` is critical.
Detection and Indicators of Compromise Organizations should check for:
- The file C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx, a known malicious payload.
- Suspicious POST requests to layouts/15/ToolPane.aspx with a referer of /layouts/SignOut.aspx.
- Connections from attacker IPs like 107.191.58[.]76 or 104.238.159[.]149.
The Attack Chain Threat actors exploit these flaws to upload a malicious .aspx file, stealing the server’s MachineKey configuration. With access to the ValidationKey and DecryptionKey, attackers craft forged VIEWSTATE payloads using tools like ysoserial, enabling RCE.
Dutch cybersecurity firm Eye Security reported 54 organizations breached, including government agencies, universities, and financial firms. While some firewalls block initial payloads, attackers may adapt, increasing the risk of further exploitation.
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch within 24 hours once updates are available.
This remains a fluid situation, with updates expected as Microsoft finalizes fixes for remaining versions. Organizations should prioritize mitigations and monitor for new advisories.
(Source: Bleeping Computer)
