Critical Microsoft SharePoint Flaw Exploitations in the Wild

PUBLISHED:
25 July 2025

Critical SharePoint Zero‑Day Exploit

A critical vulnerability (CVE‑2025‑53770) in on‑premises Microsoft SharePoint Server is being intensely exploited in the wild. The flaw stems from unsafe deserialization of untrusted data via the /layouts/15/ToolPane.aspx endpoint, enabling unauthenticated remote code execution (RCE).

The exploit workflow:

  • Authentication bypass using a spoofed Referer header tied to CVE‑2025‑53771 (path traversal/spoofing).
  • Payload upload of a malicious ASPX file that extracts ASP.Net MachineKey values.
  • These keys are then used to forge valid __VIEWSTATE payloads, allowing persistent, unauthenticated access.
  • Deployment of web shells and lateral movement for data theft and ransomware deployment.

Exploiting actors include APTs, Linen Typhoon, Violet Typhoon, and Storm‑2603, targeting government, education, healthcare, finance, energy, and telecom sectors across North America, Europe, Asia, and Africa

Affected Versions

  • SharePoint Server Subscription Edition (all builds before July 22, 2025 update)
  • SharePoint Server 2019 (v16.0.10364.20001- pre‑KB5002754/KB5002753)
  • SharePoint Server 2016 (v16.0.5139.1000 – pre‑KB5002760/KB5002759)
  • Legacy 2013 & 2010 : end-of-life, still vulnerable with no patches forthcoming, Must rely on isolation

Note: SharePoint Online (Microsoft 365) is not impacted

Mitigation

  • Apply emergency July 2025 patches immediately:
    • Subscription Edition: KB5002768
    • Server 2019: KB5002754 + KB5002753
    • Server 2016: KB5002760 + KB5002759
  • If using 2013/2010, isolate or migrate off unsupported versions.
  • Enable AMSI and ensure AMSI Full Mode on SharePoint servers

TechCERT strongly encourages the application of these updates immediately.

More Information

Critical Linux Kernel Vulnerability Allows Unprivileged Local Users to Gain Root Privileges (CVE-2026-31431)

READ MORE READ MORE

Critical Microsoft SharePoint Flaw Exploitations in the Wild

READ MORE READ MORE
15 January 2025 [NO.TCSA : 20250115-1-1-E]

Auth Bypass Vulnerability Exploited in Wild to Hijack Fortinet Firewalls

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN