Microsoft SharePoint servers around the world have come under active exploitation as part of a large-scale cyberattack campaign that surfaced over the weekend. On July 19, researchers from Eye Security published findings highlighting what they described as “active, large-scale exploitation” targeting two newly disclosed vulnerabilities, now tracked as CVE-2025-53770 and CVE-2025-53771. Collectively dubbed ToolShell, the exploit chain has raised alarm among security professionals and enterprise IT teams globally.
The more critical of the two, CVE-2025-53770, allows attackers to retrieve MachineKey configuration details, including the validationKey and decryptionKey, from vulnerable SharePoint servers. These keys can then be used to craft malicious requests capable of achieving unauthenticated remote code execution on the targeted servers.
Also read: Tenable Research Uncovers Privilege Escalation Vulnerability In Google Cloud Run
In response, Microsoft issued security patches on July 20 for the Microsoft SharePoint Server Subscription Edition and SharePoint Server 2019, addressing both CVE-2025-53770 and CVE-2025-53771. The patches were released as part of Microsoft’s July 2025 Patch Tuesday update cycle. However, a fix for SharePoint Server 2016 remains pending.
According to Satnam Narang, Senior Staff Research Engineer at Tenable, the fallout from the zero-day exploit could be significant: “The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution. Organisations that may have been impacted could identify potential exploitation by searching for indicators of compromise, including a file created on the vulnerable servers called spinstall0.aspx, though it may include some other file extension. The attack surface for this vulnerability is large, at over 9,000 externally accessible SharePoint servers, and it is used by a variety of organisations. Patches have started to roll out late on July 20, including fixes for SharePoint Server 2019 and SharePoint Subscription Edition. A patch for SharePoint Server 2016 is not yet available but is expected to be released soon. We strongly advise organisations to begin conducting incident response investigations to identify potential compromise, otherwise, apply the available patches and review the mitigation instructions provided by Microsoft.”
The incident highlights the persistent attractiveness of widely deployed enterprise collaboration platforms as attack vectors and underscores the urgency for timely patching and proactive threat monitoring. Security teams are advised to scan for known indicators of compromise, particularly the presence of suspicious files like spinstall0.aspx, and to follow Microsoft’s mitigation guidelines while awaiting remaining fixes.
