A critical zero-day vulnerability, designated as CVE-2025-53770, has been identified in Microsoft SharePoint Server, posing significant risks to organizations worldwide. This flaw allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full system compromise. The vulnerability affects on-premises versions of SharePoint Server 2016, 2019, and the Subscription Edition, while SharePoint Online in Microsoft 365 remains unaffected.
The exploit, known as "ToolShell," leverages the deserialization of untrusted data within SharePoint, enabling attackers to deploy malicious payloads. Notably, the attack involves the creation of a file named
spinstall0.aspx, which extracts cryptographic machine keys from the server. With these keys, attackers can forge valid ViewState tokens, maintaining persistent access even after patches are applied. Microsoft has acknowledged active exploitation of this vulnerability and is working on a security update. In the interim, organizations are advised to:
- Enable Antimalware Scan Interface (AMSI) integration in SharePoint.
- Deploy Microsoft Defender Antivirus on all SharePoint servers.
- If AMSI cannot be enabled, disconnect the server from the internet until a security update is available.
- Deploy Defender for Endpoint to detect and block post-exploit activity.
Given the widespread use of SharePoint for document management and collaboration, the potential impact of this vulnerability is substantial. Organizations are urged to apply the recommended mitigations promptly and to stay vigilant for further updates from Microsoft.
Source: The Business Times Microsoft server hack likely single actor, thousands of firms now vulnerable, researchers say
