.svg){kind=logo}
.svg){kind=icon}
Guides
What are the common hazards and risks in the workplace?
Hackers have broke into 85 SharePoint servers worldwide. They hit multinational corporations, government agencies, and banks across the US, Germany, France, and Australia.
Microsoft confirmed active exploitation of CVE-2025-53770, a critical zero-day vulnerability with a CVSS score of 9.8. As of posting, Microsoft have no patch ready.
Unknown attackers exploited a "significant vulnerability" in Microsoft's SharePoint collaboration software, hitting targets around the world.
If your business documents, financial records, and internal communications sit on SharePoint, those files face immediate risk. In this article, we will break down that risk into laymen terms and provide some insight on immediate steps to mitigate.
The risk to this zero day exploit
CVE-2025-53770 stems from SharePoint's deserialising of untrusted data and can lead to unauthenticated remote code execution with no user interaction required. In other words, hackers can break into your SharePoint server without needing passwords, usernames, or any credentials.
The vulnerability affects three SharePoint versions:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
SharePoint Online in Microsoft 365 is not vulnerable. If you use SharePoint through Office 365, you're safe. But if your company runs SharePoint on its own servers, you face serious danger.
Eye Security discovered that within hours of detecting the initial compromise, they pinpointed more than dozens of servers compromised "using the exact same payload at the same filepath". Hackers aren't targeting individual companies. They're running automated attacks against thousands of SharePoint servers globally.
This falls squarely under technological risk. The zero-day flaw has been described as a variant of CVE-2025-49706, a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates. Even Microsoft's recent security patches didn't stop this new attack method.
You should be concerned if...
Your company runs on-premises SharePoint servers: Tens of thousands of these servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond.
You should act immediately if you:
- Host SharePoint on your own servers or data centres.
- Use SharePoint for document management, project collaboration, or file sharing.
- Store sensitive business data, customer information, or financial records on SharePoint.
- Rely on SharePoint for daily business operations.
Pete Renals, a senior manager with Palo Alto Networks' Unit 42, said, "we are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available. We have identified dozens of compromised organisations spanning both commercial and government sectors".
The attack doesn't require insider access. Attackers can execute code remotely, bypassing identity protections such as MFA or SSO. Your multi-factor authentication and single sign-on security measures won't protect you.
Is this content useful to you? Consider subscribing for free to get more every week.
What are the disruption risks?
Business Interruption and Data Theft
- Once inside, attackers can access all SharePoint content, system files, and configurations and move laterally across the Windows Domain. They don't just steal files. They take control of your entire SharePoint environment and potentially your broader network.
Financial Loss and Operational Standstill
- The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access. This means hackers can return to your systems even after you think you've secured them.
Reputational Damage and Legal Consequences
- SharePoint typically stores your most sensitive business documents. Customer contracts, financial reports, strategic plans, and employee records all live there. A breach exposes this information and damages your reputation with clients and partners.
Long-term Security Concerns
- watchTowr CEO Benjamin Harris explained: "With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid—enabling seamless remote code execution. This approach makes remediation particularly difficult—typical patch would not automatically rotate these stolen cryptographic secrets leaving organisations vulnerable even after they patch".
Even when Microsoft releases a patch, your company remains vulnerable. Hackers steal cryptographic keys that let them maintain access to your systems.
Preventative actions you can take right now
Immediate Steps You Must Take Today
- Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.
- Enable AMSI integration immediately. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. Check your SharePoint version and confirm AMSI runs properly.
- If you can't enable AMSI right now, disconnect your SharePoint server from the internet. Microsoft recommends: "If enabling AMSI is not an option, you should remove access to the internet from the SharePoint server".
Detection and Monitoring
- Defenders should look, at minimum, for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Search your SharePoint servers for this file immediately.
- Deploy Microsoft Defender for Endpoint on all SharePoint servers. Set up comprehensive logging to identify exploitation activity. Monitor for suspicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.
Business Continuity Planning
- Review your SharePoint backup procedures. Ensure you can restore clean versions of your SharePoint environment if hackers compromise your systems. Test your backup restoration process this week.
- Document your SharePoint dependencies. Identify which business processes stop working if SharePoint goes offline. Prepare alternative collaboration methods for your teams.
Long-term security strategy
Consider migrating to SharePoint Online if you currently use on-premises servers. SharePoint as part of Microsoft 365 (SharePoint Online) is not vulnerable. Cloud-based SharePoint receives automatic security updates and doesn't face this specific threat.
Review your third-party software security regularly. This SharePoint vulnerability shows how quickly new attack methods emerge. Build security assessments into your monthly business reviews.
The SharePoint crisis demonstrates that even patched, up-to-date systems face new threats daily. Your business can't wait for perfect security solutions. Take action now to protect your data and operations from this ongoing attack campaign.
Concerned about this threat? You can book time with one of our Advisors today to discuss. Book 30 minutes with us, free ↗
Sources & additional resources
SharePoint zero day exploited, governments hit, no patch yet | The Stack | July 20, 2025
SharePoint Under Siege: ToolShell Mass Exploitation (CVE-2025-53770) | Eye Security | July 19, 2025
Frequently asked questions
What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw that hackers know about but the software company doesn't. Think of it like finding an unlocked back door to a building that the owner doesn't know exists. The term "zero-day" means there have been zero days to fix the problem since it was discovered. In this SharePoint case, attackers found a way to break into systems that Microsoft didn't know was possible. They exploited it for days before Microsoft learned about the attacks and could start working on a fix.
What does "remote code execution" mean for my business?
Remote code execution means hackers can run their own programs on your computer or server from anywhere in the world, without being physically present. It's like someone being able to operate your office computer from their home, opening files, installing software, or stealing data. In the SharePoint vulnerability, attackers can execute commands on your SharePoint server as if they were sitting at your IT desk with full administrator access. They can copy files, install malware, or use your server to attack other systems.
How can hackers bypass MFA and SSO if these are supposed to protect us?
Multi-factor authentication (MFA) and single sign-on (SSO) are like security guards at the front door of your building. They check IDs and verify people before letting them in. But this SharePoint vulnerability is like a hidden tunnel that goes directly into the building, completely avoiding the front door security. The hackers don't need to present credentials or pass through your authentication systems because they're exploiting a flaw in how SharePoint processes certain data. Your security measures are still important, but they can't protect against attacks that don't use the normal entry points.
What are "cryptographic keys" and why does stealing them matter?
Cryptographic keys are like master keys that unlock encrypted data and verify the authenticity of digital communications. In SharePoint's case, these keys (called ValidationKey and DecryptionKey) are used to ensure that requests to the server are legitimate. When hackers steal these keys, they can create fake but valid-looking requests that SharePoint will trust and process. It's like someone stealing the master key to your office building and being able to make perfect copies. Even after you change the locks (patch the vulnerability), they can still get in using their copied keys until you replace the entire locking system.
