Microsoft SharePoint Zero-Day EXPLAINED — How Hackers Got In Without a Password

Two previously unknown zero-day vulnerabilities in Microsoft SharePoint Server (on-premises) are being actively exploited in the wild as part of a highly coordinated espionage campaign. Microsoft has linked these attacks to China-based APT actors, and at least 75 organizations worldwide have confirmed breaches.

The flaws, identified as CVE-2025-53770 and CVE-2025-53771, enable unauthenticated remote code execution (RCE), giving attackers full control over SharePoint servers and the broader internal infrastructure.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, mandating immediate patching and threat hunting across all federal environments.

Technical Analysis of the Exploit Chain

Vulnerability Mechanics

Both CVEs stem from improper validation and unsafe parsing of SharePoint metadata in HTTP requests:

• CVE-2025-53770: Exploits malformed HTTP POST requests that cause SharePoint to deserialize attacker-supplied objects.
• CVE-2025-53771: Bypasses permission checks and triggers backend service escalation via privilege misconfiguration.

The exploit allows attackers to:

• Execute code in the context of SharePoint’s service account
• Drop web shells
• Exfiltrate NTLM tokens, cookies, and data
• Escalate privileges via token impersonation or credential dumping

Exploit Flow (Anatomy of the Breach)

1. Initial Contact
   Attacker targets an exposed SharePoint site and sends a malicious POST payload to a vulnerable endpoint (e.g., _layouts/15/).
2. Payload Delivery
   The request includes embedded encoded objects that trigger unsafe deserialization, executing arbitrary commands with system-level privileges.
3. Establish Persistence
   A web shell (China Chopper or custom dropper) is deployed under the SharePoint application directory.
4. Internal Reconnaissance
   The attacker moves laterally using WMI, PsExec, or native PowerShell. Active Directory domain enumeration and key extraction follow.
5. Exfiltration & Clean-up
   Sensitive files and credentials are extracted, and logs are often cleared using obfuscated batch scripts or via wevtutil.

Attribution and Threat Actor Behavior

Microsoft Threat Intelligence attributes the attack to three Chinese nation-state groups:

Tactics observed include:

• Use of living-off-the-land binaries (LOLBins): certutil, msbuild, powershell
• Abuse of service tokens and SharePoint trusts
• Deployment of memory-resident implants to evade EDRs

Global Impact

Victim organizations include:

• Government ministries in the U.S., Europe, and Asia
• Cloud infrastructure and DevOps service providers
• National law firms and financial sector players

Confirmed breaches show:

• Stolen documents, passwords, and session cookies
• Token impersonation leading to broader domain compromise
• Use of cloud connectors to pivot into hybrid Azure-AD environments

Indicators of Compromise (IOCs)

Artifacts:

• Files in:
  C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15TEMPLATELAYOUTS
• Unexpected .aspx or .cs pages
• Registry modifications under SharePoint runtime keys

Behavioral Indicators:

• w3wp.exe spawning powershell.exe or cmd.exe
• msbuild.exe making outbound connections
• HTTP traffic to domains ending in .cn, .tk, or using IPs in unusual ASNs

Defensive Recommendations

Immediate Mitigations:

• Deploy Microsoft’s July 2025 patch for SharePoint without delay
• Review HTTP logs for POSTs to _layouts/15/
• Audit admin activity logs for suspicious object creation or privilege escalations

Hardening Actions:

• Restrict SharePoint admin interfaces to internal IP ranges
• Enforce MFA and conditional access for SharePoint access
• Use file integrity monitoring (FIM) on all .aspx, .dll, and config files
• Deploy YARA or Sigma rules to detect web shell behavior in memory