A critical zero-day vulnerability, identified as CVE-2025-53770, has been actively exploited in Microsoft's on-premises SharePoint Server, compromising approximately 100 organizations globally. This flaw allows unauthenticated attackers to execute remote code, granting them full control over affected systems. Notably, SharePoint Online within Microsoft 365 remains unaffected.
The attack was first detected on July 18, 2025, by Eye Security, a Dutch cybersecurity firm. Their investigation revealed that attackers deployed a malicious file named "spinstall0.aspx" to extract cryptographic machine keys from the SharePoint server. With these keys, attackers can forge valid __VIEWSTATE payloads, maintaining persistent access even after patches are applied. The compromised entities span various sectors, including government agencies, financial institutions, healthcare providers, and industrial firms. (reuters.com)
Microsoft has released security updates to address this vulnerability and strongly advises all on-premises SharePoint Server users to apply these patches immediately. Additionally, enabling the Antimalware Scan Interface (AMSI) and deploying Microsoft Defender Antivirus on all SharePoint servers are recommended measures. Organizations should also rotate their ASP.NET machine keys post-patching to invalidate any stolen cryptographic material. (msrc.microsoft.com)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance emphasizing the severity of this vulnerability. They recommend that organizations monitor for specific indicators of compromise, such as POST requests to "/_layouts/15/ToolPane.aspx?DisplayMode=Edit" and scanning for known malicious IP addresses. Implementing comprehensive logging and updating intrusion prevention systems are also advised to detect and prevent exploitation attempts. (cisa.gov)
Given the rapid exploitation of this vulnerability, organizations are urged to adopt a proactive security posture. This includes not only applying patches but also conducting thorough security assessments to identify potential breaches and implementing robust monitoring systems to detect future threats.
In summary, the CVE-2025-53770 vulnerability underscores the critical importance of timely patch management and comprehensive security practices. Organizations utilizing on-premises SharePoint Server must act swiftly to mitigate this threat and safeguard their systems against potential exploitation.
Source: The Mighty 790 KFGO Microsoft server hack likely single actor, thousands of firms now vulnerable, researchers say
