A critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is being actively exploited in the wild by a diverse array of hacker groups, including state-sponsored actors and financially motivated cybercriminals. The unpatched flaw, allowing for unauthenticated remote code execution, has already compromised hundreds of on-premises SharePoint servers across various sectors globally, sparking urgent warnings from cybersecurity agencies and a scramble by Microsoft to release a comprehensive fix.
Initially detected by security researchers as early as July 7, 2025, the exploitation intensified around July 18-19, impacting organizations ranging from government agencies and energy companies to financial institutions and universities. The vulnerability, which carries a critical CVSS score of 9.8, is a variant of a previously patched flaw (CVE-2025-49706) and leverages a deserialization weakness in SharePoint to allow attackers to execute arbitrary code over the network without requiring any authentication.
Reports indicate that the attack chain, dubbed “ToolShell,” not only grants initial access but also enables attackers to steal critical cryptographic keys, specifically the ValidationKey and DecryptionKey. Possession of these keys allows threat actors to forge authentication tokens and __VIEWSTATE payloads, granting them persistent access that can survive reboots or the removal of web shells, significantly complicating remediation efforts.
Among the identified threat actors, Microsoft has specifically named the China-aligned group Storm-2603, which has been observed deploying the potent Warlock ransomware in compromised environments. Other Chinese state-sponsored groups, Linen Typhoon and Violet Typhoon, are also believed to be leveraging the vulnerability for data exfiltration and establishing persistent footholds.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, urging federal agencies to remediate immediately. Microsoft has released emergency security updates for SharePoint Server 2019 and Subscription Edition, with a patch for SharePoint Server 2016 still under development.
Organizations with on-premises SharePoint servers are advised to assume compromise if they have been exposed and to take immediate action, including applying the latest security updates, enabling Antimalware Scan Interface (AMSI) integration, rotating all server security keys, and restarting IIS services. SharePoint Online (Microsoft 365) users are not affected by this vulnerability. This ongoing incident underscores the persistent threat posed by zero-day exploits and the critical need for robust patch management and proactive threat hunting by organizations worldwide.
