Critical SharePoint 0-Day Exploit (CVE-2025-53770) Actively Targeting Small Businesses

July 20, 2025
• 
Security Alerts

🚨 Overview

Important: This advisory only applies to on-premises (self-hosted) Microsoft SharePoint Server installations. SharePoint Online (Microsoft 365) is not affected.

A critical vulnerability in on-premises Microsoft SharePoint Server (CVE-2025-53770) is being actively exploited in the wild — enabling unauthenticated attackers to take complete remote control of vulnerable servers. This isn’t just a theoretical risk. The vulnerability is already being used by sophisticated threat actors in targeted, coordinated campaigns.

At Breakthru, we’re tracking this vulnerability closely and advising immediate action for affected organizations — especially small businesses that may not have a dedicated security team or advanced threat detection tools in place.

🔍 What Is CVE-2025-53770?

This vulnerability results from a deserialization flaw in SharePoint's internal processing. If exploited, it allows remote attackers to:

  • Upload malicious .aspx files and execute code on the server
  • Extract sensitive cryptographic keys (e.g., ValidationKey, DecryptionKey)
  • Forge valid __VIEWSTATE payloads, bypassing authentication entirely

Severity Score: 9.8 (CRITICAL)
Attack Vector: Network
Privileges Required: None
User Interaction: None

In short: if your SharePoint Server is internet-facing, it’s vulnerable.

💥 What’s Happening in the Wild?

The exploit, now dubbed “ToolShell,” was weaponized within 72 hours of public proof-of-concept code release.

Key facts from Eye Security’s analysis:

  • Two attack waves were launched (July 18 and 19, 2025)
  • Attackers are installing persistent backdoors
  • Servers are being used to:
    • Steal data
    • Deploy additional malware
    • Launch phishing campaigns

Known Exploited Paths:

  • /layouts/15/ToolPane.aspx (initial entry point)
  • Undisclosed .aspx file used to dump cryptographic keys

Even if you patch later, backdoors may persist if attackers are already inside.

🎯 Why This Matters for Small Businesses

Small businesses are uniquely at risk:

  • Limited IT oversight can delay patching
  • SharePoint is often used as an intranet or file portal — sometimes unintentionally exposed online
  • Compromised servers may store:
    • Client records
    • Financial or payroll data
    • Internal communications

If compromised, attackers can:

  • Modify shared content
  • Redirect visitors or staff
  • Install ransomware or remote access tools
  • Use your server to target others — damaging your brand

🔐 Mitigations and Immediate Action Plan

There is no patch available yet, but you can act now to reduce your risk:

✅ 1. Enable AMSI Integration

If you're running:

  • SharePoint Server 2016 (with Sept 2023 update or later)
  • SharePoint Server 2019 (with Sept 2023 update or later)
  • Subscription Edition (23H2 or later)

AMSI (Antimalware Scan Interface) helps block this attack before it executes.

🔗 Enable AMSI Integration – Microsoft Docs

✅ 2. Deploy Microsoft Defender AV & Defender for Endpoint

Microsoft Defender detects related malware under names like:

  • Exploit:Script/SuspSignoutReq.A
  • Trojan:Win32/HijackSharePointServer.A

Defender for Endpoint alerts may include:

  • "Possible web shell installation"
  • "HijackSharePointServer malware detected"

✅ 3. Restrict Internet Access to SharePoint Servers

If you can't apply updates or enable AMSI, disconnect your SharePoint Server from the internet temporarily to block exploitation.

✅ 4. Conduct a Compromise Assessment

Run the following Microsoft 365 Defender query to detect known malicious files:

DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"

🧪 Indicators of Compromise (IOCs)

Review your server logs for the following:

🔎 IP Addresses:

  • 107.191.58[.]76 — First attack wave (July 18, 2025)
  • 104.238.159[.]149 — Second attack wave (July 19, 2025)

🔎 User-Agent:

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
    (May also appear URL-encoded in IIS logs)

🧭 What To Do If You Spot These IOCs

If any of the above IPs or user-agent strings appear in your logs:

  1. Assume your server may be compromised
  2. Search for malicious files like spinstall0.aspx
  3. Isolate the server from your network
  4. Run a full compromise assessment
  5. Contact Breakthru for immediate incident response support

📢 Breakthru’s Recommendations

If you manage your own SharePoint Server — or rely on a third-party to host one — we strongly recommend:

  • Confirming your version and exposure status
  • Applying all available mitigations now
  • Considering migration to SharePoint Online — which is not affected by this vulnerability

💬 Final Thoughts

If you're not sure whether this affects you — or need help understanding your risk — now’s the time to check. You don’t need to be a cybersecurity expert to take basic steps that protect your systems.

This post is meant to help small teams stay ahead of a fast-moving threat. Even if you don’t use SharePoint, sharing this with someone who does could save them a major headache.

If you have questions or want a second opinion, feel free to reach out.

Secure Your Home or Business with Confidence

Need help putting any of this into action? Whether it's setting things up or just making sense of the details, I'm here to help make it simple.

Contact Me