Recent reports from July 19 indicate widespread, active exploitation of Microsoft SharePoint Servers due to a critical zero-day vulnerability. Researchers at Eye Security initially linked this “active, large-scale exploitation” to a pair of vulnerabilities dubbed “ToolShell,” with successful exploitation of CVE-2025-53770 allowing the exposure of MachineKey configuration details, leading to unauthenticated remote code execution.
Satnam Narang, Sr. Staff Research Engineer at Tenable, commented on the severity of the situation. He highlighted that attackers leverage CVE-2025-53770 to steal validationKey and decryptionKey from vulnerable SharePoint Servers. These keys enable attackers to craft malicious requests for unauthenticated remote code execution.
Organizations should look for indicators of compromise, such as creating a file named spinstall0.aspx on affected servers, though other file extensions may also be used. Given that over 9,000 externally accessible SharePoint servers are vulnerable, the significant attack surface impacts many organizations.
Microsoft has begun rolling out patches. Fixes for SharePoint Server 2019 and SharePoint Subscription Edition were released on July 20, with a patch for SharePoint Server 2016 expected soon. Narang strongly advises organizations to initiate incident response investigations to detect potential compromises. If no compromise is found, applying the available patches and reviewing Microsoft’s mitigation instructions are crucial next steps.
