SharePoint 0-Day RCE Flaw Actively Exploited for Full Server Takeover

A devastating new SharePoint vulnerability is being actively exploited in large-scale attacks worldwide, enabling attackers to gain complete control of on-premise servers without authentication.

Security researchers at Eye Security discovered the ongoing campaign on July 18, 2025, revealing a sophisticated exploit chain dubbed “ToolShell” that leverages previously demonstrated Pwn2Own vulnerabilities to achieve remote code execution.

Widespread Exploitation Campaign

The vulnerability, officially designated CVE-2025-53770 by Microsoft, represents a variant of two security flaws (CVE-2025-49706 and CVE-2025-49704) that were initially demonstrated at Pwn2Own Berlin in May 2025.

Eye Security’s analysis of over 8,000 SharePoint servers worldwide revealed dozens of compromised systems, with attack waves occurring around 18:00 UTC on July 18 and 07:30 UTC on July 19.

The exploitation timeline suggests attackers weaponized proof-of-concept code shortly after Code White GmbH’s security demonstration, transforming academic research into a real-world threat within days.

The attacks specifically target the /_layouts/15/ToolPane.aspx endpoint, exploiting an authentication bypass that allows unauthenticated file uploads and code execution.

Unlike typical web shell attacks, the ToolShell exploit demonstrates remarkable technical sophistication.

Attackers deploy a malicious ASPX file called spinstall0.aspx that extracts cryptographic secrets from SharePoint servers, specifically the ValidationKey used for signing ViewState payloads.

This key material enables attackers to craft legitimate, signed requests that bypass security controls entirely.

The exploit chain mirrors techniques from the 2021 CVE-2021-28474 vulnerability, utilizing SharePoint’s ViewState deserialization mechanisms to achieve code execution.

Once cryptographic keys are extracted, attackers can use tools like ysoserial to generate malicious ViewState payloads, effectively turning any SharePoint request into a remote code execution opportunity.

Eye Security’s investigation revealed suspicious IIS logs showing POST requests to ToolPane.aspx with an unusual referer header pointing to /_layouts/SignOut.aspx, indicating the exploit works even after user logout.

Security researcher @irsdl’s July 17 findings suggest this specific referer may have transformed the original CVE-2025-49706 into the more dangerous CVE-2025-53770 variant.

Microsoft has confirmed active exploitation but has not yet released a security patch. The company’s Security Response Center acknowledged the severity while providing only interim detection guidance.

Eye Security researchers emphasize that organizations should not wait for vendor fixes, as the threat is operational and spreading rapidly.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now