Microsoft has issued an urgent alert to businesses and government agencies following the discovery of an active zero-day exploit impacting on-premises SharePoint Server deployments.
The vulnerability, designated CVE‑2025‑53770, is a variant of an earlier flaw and is currently being weaponized in what Microsoft and security researchers are calling the ToolShell campaign, allowing unauthenticated attackers to execute arbitrary code remotely on SharePoint servers.
SharePoint Online users are not affected.
The vulnerability enables attackers to bypass authentication and install a stealth backdoor, notably via deployment of a malicious spinstall0.aspx file.
This file extracts encryption keys including ValidationKey and DecryptionKey from victim servers granting persistent, unauthorized access and potentially allowing impersonation of legitimate users in authenticated sessions.
Major threat-hunting teams report dozens of servers compromised within hours of initial detection, across Europe and North America.
A patch is not yet available, but Microsoft and multiple cybersecurity agencies including CISA in the U.S. and Canada’s Cyber Centre recommend immediate mitigations.
Organizations are urged to enable Antimalware Scan Interface (AMSI) integration within SharePoint Server and deploy Defender Antivirus on all affected systems.
Where AMSI setup is not feasible, vulnerable servers should be disconnected from the internet until a patch is released.
Deploying MicrosoftDefender for Endpoint is strongly encouraged to detect and block post-exploitation behavior.
CISA’s advisory underscores that ToolShell attackers have been targeting specific IP addresses between July 18 and 19 and recommends heightened network monitoring, intrusion prevention system rule updates, SIEM logging, and indicators of compromise detection based on Microsoft’s advanced hunting queries.
Cybersecurity experts like Charles Carmakal of Mandiant (Google Cloud) describe the situation as critical a live, evolving threat requiring organizations to assume breach, hunt for compromise, and rotate all cryptographic keys once patching occurs.
Eye Security researchers stress that even post-patch environments remain at risk if key rotation is neglected.
This incident spotlights persistent risks in hybrid and on-prem legacy systems.
Once compromised, SharePoint Servers linked to internal domains or service ecosystems like Teams, Outlook, or OneDrive can be leveraged for lateral movement and broader enterprise infiltration.
Microsoft says stakeholders can expect an emergency security update soon, and it will issue further guidance on remediation as details emerge.
In the meantime, organizations are advised to review logs for unusual file creation particularly spinstall0.aspx enforce AMSI and Defender controls, and isolate affected systems for incident response teams to investigate thoroughly.
Written By Ian Maleve
