Unknown malefactors are actively attacking firms that use SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Version. By exploiting a sequence of two vulnerabilities – CVE-2025-53770 (CVSS score – 9.8) and CVE-2025-53771 (CVSS score – 6.3), attackers are capable of execute malicious code on the server remotely. The severity of the state of affairs is highlighted by the truth that patches for the vulnerabilities had been launched by Microsoft late Sunday evening. To guard the infrastructure, researchers suggest putting in the updates as quickly as attainable.
The assault by way of CVE-2025-53770 and CVE-2025-53771
Exploitation of this pair of vulnerabilities permits unauthenticated attackers to take management of SharePoint servers, and due to this fact not solely achieve entry to all the data saved on them, but in addition use the servers to unfold their assault on the remainder of the infrastructure.
Researchers at EYE Safety state that even earlier than the Microsoft bulletins had been printed, that they had seen two waves of assaults utilizing this vulnerability chain, leading to dozens of servers being compromised. Attackers set up internet shells on weak SharePoint servers and steal cryptographic keys that may later enable them to impersonate respectable companies or customers. This fashion they’ll to achieve entry to compromised servers even after the vulnerability has been patched and the malware destroyed.
Relationship to CVE-2025-49704 and CVE-2025-49706 vulnerabilities (ToolShell chain)
Researchers seen that the exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerability chain is similar to the ToolShell chain of two different vulnerabilities, CVE-2025-49704 and CVE-2025-49706, demonstrated in Could, as a part of the Pwn2Own hacking competitors in Berlin. These two had been patched by beforehand launched updates, however apparently not completely.
By all indications, the brand new pair of vulnerabilities is an up to date ToolShell chain, or reasonably a bypass of the patches that repair it. That is confirmed by Microsoft’s remarks within the description of the brand new vulnerabilities: “Sure, the replace for CVE-2025-53770 contains extra strong protections than the replace for CVE-2025-49704. The replace for CVE-2025-53771 contains extra strong protections than the replace for CVE-2025-49706.”
Methods to keep secure?
The very first thing to do is set up the patches, and earlier than rolling out the emergency updates launched yesterday, it is best to set up the common July KB5002741 and KB5002744. On the time of penning this put up, there have been no patches for SharePoint 2016, so in case you’re nonetheless utilizing this model of the server, you’ll need to depend on compensating measures.
You must also guarantee that strong protecting options are put in on the servers and that the Antimalware Scan Interface (AMSI), which helps Microsoft functions and companies to work together with operating cybersecurity merchandise, is enabled.
Researchers suggest changing machine keys in ASP.NET on weak SharePoint servers (you may learn how to do that in Microsoft’s suggestions), in addition to different cryptographic keys and credentials that will have been accessed from the weak server.
In case you have purpose to suspect that your SharePoint servers have been attacked, it is strongly recommended that you simply verify them for indicators of compromise, primarily the presence of the malicious spinstall0.aspx file.
In case your inner incident response crew lacks the in-house assets to determine indicators of compromise or remediate the incident, we advise you to contact third-party consultants.
