Cybersecurity researchers have identified a widespread campaign targeting Microsoft SharePoint servers through two critical zero-day vulnerabilities. At least 85 servers globally have been compromised, with threat actors actively exploiting these security flaws since late last week, marking a significant escalation in attacks against enterprise collaboration platforms.
From Security Research to Active Threats: The ToolShell Evolution
The current attack campaign traces its origins to a May demonstration at the Pwn2Own Berlin competition, where researchers from Viettel Cyber Security showcased the ToolShell remote code execution (RCE) attack. This sophisticated exploit chained together two SharePoint vulnerabilities: CVE-2025-49706 and CVE-2025-49704, enabling arbitrary code execution on targeted servers.
Despite Microsoft’s July security patches addressing both vulnerabilities, cybercriminals successfully developed bypass techniques. These evolved attacks have been assigned new identifiers: CVE-2025-53770 with a critical CVSS score of 9.8 and CVE-2025-53771 scoring 6.3, representing dangerous circumventions of the original security fixes.
Technical Attack Analysis and Exploitation Chain
The attack methodology involves a sophisticated vulnerability chaining approach to achieve complete system compromise. Threat actors deploy a malicious file named spinstall0.aspx, which serves as both an indicator of compromise and a tool for extracting critical cryptographic materials from the targeted SharePoint environment.
The primary objective centers on stealing the SharePoint server’s MachineKey configuration, specifically the ValidationKey and DecryptionKey components. Once attackers obtain these cryptographic secrets, they leverage tools like ysoserial to forge malicious ViewState tokens, creating pathways for arbitrary code execution on the compromised server.
ViewState Manipulation Techniques
ViewState represents ASP.NET’s mechanism for maintaining web control states between HTTP requests. When the server’s ValidationKey becomes compromised, attackers gain the ability to forge ViewState content and inject malicious payloads that execute during server-side deserialization processes, providing persistent access to the targeted infrastructure.
Global Impact Assessment and Affected Organizations
Research conducted by Dutch cybersecurity firm Eye Security reveals concerning attack distribution patterns. Among 54 identified victim organizations, several critical infrastructure entities have been compromised, including:
• A private California university
• A commercial energy company
• A state healthcare organization
• A New York-based fintech company
• An artificial intelligence technology developer
Google Threat Intelligence Group corroborates the severity of these incidents, confirming that attackers are deploying web shells and exfiltrating cryptographic secrets, establishing persistent unauthorized access to compromised SharePoint environments across multiple industry sectors.
Immediate Protection Strategies and Security Recommendations
Microsoft has released emergency update KB5002768 for SharePoint Subscription Edition, though patches for 2019 and 2016 versions remain under development. Until comprehensive fixes become available, organizations should implement the following defensive measures:
Critical Actions: Deploy the latest available security patches, enable AMSI integration within SharePoint environments, and install Microsoft Defender across all SharePoint servers. These countermeasures significantly increase the difficulty of conducting unauthenticated attacks against vulnerable systems.
Advanced Mitigation: Replace SharePoint Server ASP.NET keys after applying security updates or enabling AMSI functionality. This key rotation prevents malicious command execution even if initial compromise attempts succeed, providing an additional security layer.
Compromise Detection Methods
System administrators can assess their environments for potential breaches by searching for the indicator file located at C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx. The presence of this specific file constitutes definitive evidence of successful exploitation and requires immediate incident response procedures.
This SharePoint vulnerability campaign underscores the critical importance of maintaining current security patches and implementing defense-in-depth strategies for enterprise collaboration platforms. Organizations operating on-premises SharePoint deployments must immediately execute recommended protective measures while establishing continuous monitoring protocols to detect potential compromise indicators. The sophistication of these bypass techniques demonstrates the evolving nature of enterprise-targeted threats and reinforces the necessity of proactive cybersecurity postures in protecting critical business infrastructure.
