Hackers Exploit New Microsoft SharePoint Zero-Day (CVE-2025-53770) for Persistent Access

Microsoft SharePoint Zero-Day Exploit
SharePoint Zero-Day Exploitation Campaign

A newly disclosed critical Microsoft SharePoint vulnerability (CVE-2025-53770) has been actively exploited since July 7, 2025, according to Check Point Research. This flaw allows unauthenticated remote code execution (RCE), targeting major government and enterprise environments worldwide.

Researchers detected the first attacks on a major Western government before activity spread to telecommunications, software, and technology sectors in North America and Western Europe. The campaign remains highly active and urgent.


Attack Origin and Methods

Exploitation attempts were traced to three IP addresses:

  • 104.238.159[.]149
  • 107.191.58[.]76
  • 96.9.125[.]147

One of these IPs was previously linked to Ivanti EPMM flaws (CVE-2025-4427, CVE-2025-4428). Attackers used a combination of vulnerabilities, including:

  • CVE-2025-53770 (CVSS 9.8) – Remote Code Execution in SharePoint Server
  • CVE-2025-49706 (CVSS 6.5) – SharePoint Server Spoofing Vulnerability

How the Exploit Works

The zero-day flaw exploits SharePoint’s deserialization process, enabling attackers to execute code remotely without authentication. Malicious ASP.NET web shells such as spinstall0.aspx are deployed to:

  • Steal cryptographic keys (ValidationKeys, DecryptionKeys)
  • Create forged ViewState payloads for persistence
  • Enable arbitrary command execution

Threat researchers observed Base64-encoded PowerShell scripts writing these web shells into SharePoint’s layout directory.


Targets and Threat Landscape

The attack has been detected across multiple regions including the U.S., Canada, Germany, South Africa, and Switzerland. Early-stage exploitation focused on government, critical infrastructure, and consulting organizations. Some threat actors used fileless in-memory execution techniques, complicating detection and forensic recovery.


Mitigation and Recommendations

  • Apply Microsoft’s July 2025 patches for CVE-2025-53770 and CVE-2025-53771 immediately.
  • Rotate all cryptographic keys and restart SharePoint servers.
  • Enable advanced monitoring for PowerShell and suspicious .aspx file uploads.
  • Adopt Zero Trust security measures to prevent lateral movement.

Important: Microsoft has released enhanced patches after confirming active exploitation of partially fixed flaws. Organizations must treat this as a critical priority.

Scroll to Top