The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research.
The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe.
Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428).
“We’re witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk,” Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, told The Hacker News.
“Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7. We strongly urge enterprises to update their security systems immediately – this campaign is both sophisticated and fast-moving.”
The attack chains have been observed leveraging CVE-2025-53770, a newly patched remote code execution flaw in SharePoint Server, and chaining it with CVE-2025-49706, a spoofing vulnerability that was patched by Microsoft as part of its July 2025 Patch Tuesday update, to gain initial access and escalate privileges.
It’s worth mentioning at this stage that there are two sets of vulnerabilities in SharePoint that have come to light this month –
- CVE-2025-49704 (CVSS score: 8.8) – Microsoft SharePoint Remote Code Execution Vulnerability (Fixed on July 8, 2025)
- CVE-2025-49706 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability (Fixed on July 8, 2025)
- CVE-2025-53770 (CVSS score: 9.8) – Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2025-53771 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability
CVE-2025-49704 and CVE-2025-49706, collectively referred to as ToolShell, is an exploitation chain that can lead to remote code execution on SharePoint Server instances. They were originally disclosed by Viettel Cyber Security during the Pwn2Own 2025 hacking competition earlier this May.
CVE-2025-53770 and CVE-2025-53771, which came to light over the weekend, have been described as variants of CVE-2025-49704 and CVE-2025-49706, respectively, indicating that they are bypasses for the original fixes put in place by Microsoft earlier this month.
This is evidenced by the fact that Microsoft acknowledged active attacks exploiting “vulnerabilities partially addressed by the July Security Update.” The company also noted in its advisories that the updates for CVE-2025-53770 and CVE-2025-53771 include “more robust protections” than the updates for CVE-2025-49704 and CVE-2025-49706. However, it bears noting that CVE-2025-53771 has not been flagged by Redmond as actively exploited in the wild.
“CVE-2025-53770 exploits a weakness in how Microsoft SharePoint Server handles the deserialization of untrusted data,” Martin Zugec, technical solutions director at Bitdefender, said. “Attackers are leveraging this flaw to gain unauthenticated remote code execution.”
This, in turn, is achieved by deploying malicious ASP.NET web shells that programmatically extract sensitive cryptographic keys. These stolen keys are subsequently leveraged to craft and sign malicious __VIEWSTATE payloads, thereby establishing persistent access and enabling the execution of arbitrary commands on SharePoint Server.
According to Bitdefender telemetry, in-the-wild exploitation has been detected in the United States, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland, and the Netherlands, suggesting widespread abuse of the flaw.
Palo Alto Networks Unit 42, in its own analysis of the campaign, said it observed commands being run to execute a Base64-encoded PowerShell command, which creates a file at the location “C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx” and then parses its content.
“The spinstall0.aspx file is a web shell that can execute various functions to retrieve ValidationKeys, DecryptionKeys, and the CompatabilityMode of the server, which are needed to forge ViewState Encryption keys,” Unit 42 said in a threat brief.
| Content of spinstall0.aspx |
In an advisory issued Monday, SentinelOne said it first detected exploitation on July 17, with the cybersecurity company identifying three “distinct attack clusters,” including state-aligned threat actors, engaging in reconnaissance and early-stage exploitation activities.
Targets of the campaigns include technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations.
“The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access,” researchers Simon Kenin, Jim Walter, and Tom Hegel said.
Analysis of the attack activity has revealed the use of a password-protected ASPX web shell (“xxx.aspx”) on July 18, 2025, at 9:58 a.m. GMT. The web shell supports three functions: Authentication via an embedded form, command execution via cmd.exe, and file upload.
Subsequent exploitation efforts have been found to employ the “spinstall0.aspx” web shell to extract and expose sensitive cryptographic material from the host.
Spinstall0.aspx is “not a traditional command webshell but rather a reconnaissance and persistence utility,” the researchers explained. “This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings — information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.”
Unlike other web shells that are typically dropped on internet-exposed servers to facilitate remote access, spinstall0.aspx appears to be designed with the sole intention of gathering cryptographic secrets that could then be used to forge authentication or session tokens across SharePoint instances.
These attacks, per CrowdStrike, commence with a specially crafted HTTP POST request to an accessible SharePoint server that attempts to write spinstall0.aspx via PowerShell, per CrowdStrike. The company said it blocked hundreds of exploitation attempts across more than 160 customer environments.
SentinelOne also discovered a cluster dubbed “no shell” that took a “more advanced and stealthy approach” to other threat actors by opting for in-memory .NET module execution without dropping any payloads on disk. The activity originated from the IP address 96.9.125[.]147.
“This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques,” the company said, positing that it’s either a “skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting.”
It’s currently not known who is behind the attack activity, although Google-owned Mandiant has attributed the early-exploitation to a China-aligned hacking group.
Data from Censys shows that there are 9,762 on-premises SharePoint servers online, although it’s currently not known if all of them are susceptible to the flaws. Given that SharePoint servers are a lucrative target for threat actors due to the nature of sensitive organizational data stored in them, it’s essential that users move quickly to apply the fixes, rotate the keys, and restart the instances.
“We assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor,” Charles Carmakal, CTO, Mandiant Consulting at Google Cloud, said in a post on LinkedIn. “We’re aware of victims in several sectors and global geographies. The activity primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied.”
