The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 75 companies have already been compromised by the attacks. In May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a "ToolShell" attack demonstrated at Pwn2Own Berlin to achieve remote code execution. A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide. Eye Security CTO Piet Kerkhofs told BleepingComputer that they have conducted scans of the internet for compromised servers and found over 75 organizations impacted in the attacks. If you cannot enable AMSI, Microsoft says that SharePoint servers should be disconnected from the internet until a security update is released. As part of the exploitation, attackers upload a file named "spinstall0.aspx," which is used to steal the Microsoft SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey. The company notes that this feature is enabled by default since the September 2023 security updates for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. "Although we identified 85+ compromised SharePoint Servers worldwide, we were able to cluster them down to the organizations affected," Kerkhofs told BleepingComputer. "Microsoft is aware of active attacks targeting on-premises SharePoint Server customers," warns Microsoft. While Microsoft patched both ToolShell flaws as part of the July Patch Tuesday, it is now warning that a variant of CVE-2025-49706, tracked as CVE-2025-53770, is being actively exploited in the wild. To mitigate the flaw, Microsoft recommends that customers enable AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. Microsoft AMSI (Antimalware Scan Interface) is a security feature that allows applications and services to pass potentially malicious content to an installed antivirus solution for real-time scanning. Eye Security first observed attacks on July 18th after receiving an alert from one of their customers' EDR agents that a suspicious process tied to an uploaded malicious .aspx file was launched. To detect if a SharePoint server has been compromised, admins can check if the C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx exists. Microsoft states that the flaw does not impact Microsoft 365 and is working on a security update, which will be released as soon as possible.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 20 Jul 2025 15:40:16 +0000