Cybersecurity Threat Advisory: Microsoft SharePoint zero-day vulnerability

Attackers are actively exploiting CVE-2025-53770, a critical zero-day vulnerability in Microsoft SharePoint, to execute remote code without authentication. This flaw allows attackers to deploy persistent malware and potentially exfiltrate sensitive data from unpatched on-premises environments. Review the full details in this Cybersecurity Threat Advisory to help prevent exploitation in your environment.

What is the threat?

CVE-2025-53770 is a newly discovered zero-day vulnerability affecting on-premises Microsoft SharePoint Servers, widely used for internal collaboration and file sharing. This flaw is classified as a RCE vulnerability, allowing attackers to run malicious code on affected servers—no authentication or special access required.

SharePoint servers often become vulnerable due to missing patches, critical misconfigurations, or exposed internet-facing services. As a zero-day, this exploit was actively used in the wild before Microsoft released a fix, leaving many systems temporarily exposed.

Attackers leverage the flaw by sending specially crafted HTTP requests to vulnerable servers, tricking them into executing arbitrary code. This can result in backdoor installation, data exfiltration, or lateral movement across the network.

Indicators of compromise include:

• A malicious spinstall0.aspx web shell in the SharePoint Layouts directory
• Unusual POST requests to ToolPane.aspx
• IIS worker processes (w3wp.exe) spawning PowerShell or cmd processes
• Elevated CPU usage
• Suspicious outbound network traffic

Why is it noteworthy?

This vulnerability is being actively exploited in a global cyber espionage campaign, impacting over 100 organizations. Upon successful exploitation, attackers can steal cryptographic keys, gain persistent access, and bypass traditional security controls—all without detection.

While Microsoft has released patches, many organizations remain vulnerable due to delayed patching or incomplete mitigation. Microsoft patched related vulnerabilities—CVE-2025-49706 and CVE-2025-49704—earlier this month. However, attackers have already developed workarounds, underscoring the speed and sophistication of today’s threat actors.

Even organizations that don’t use SharePoint directly are at risk. Compromised SharePoint servers can act as launchpads for supply chain attacks, potentially impacting partners, suppliers, and customers, and amplifying the threat across ecosystems.

What is the exposure or risk?

If exploited, CVE-2025-53770 allows attackers to gain unauthorized remote access, execute malicious code, steal sensitive data, and potentially disrupt critical business operations. The consequences extend beyond technical compromise. Victims may face regulatory scrutiny and fines, legal liability, brand and reputational damage, operational downtime, and incident response and recovery efforts.

A breached SharePoint server can also be leveraged for further network intrusion, increasing the risk of ransomware, espionage, or intellectual property theft. These cascading effects make rapid detection and mitigation crucial.

What are the recommendations?

Barracuda recommends the following actions in order to protect against this threat:

• Apply the following emergency updates for Microsoft SharePoint:
  • The KB5002754 update for Microsoft SharePoint Server 2019 Core and KB5002753 for the Microsoft SharePoint Server 2019 Language Pack.
  • The KB5002760 update for Microsoft SharePoint Enterprise Server 2016 and KB5002759 for the Microsoft SharePoint Enterprise Server 2016 Language Pack.
  • The KB5002768 update for Microsoft SharePoint Subscription Edition.
• Rotate the SharePoint machine keys post update:
  • Manually via PowerShell: To update the machine keys for a web application using PowerShell and deploy them to a SharePoint farm:
    • Generate the machine key in PowerShell using Set-SPMachineKey -WebApplication <SPWebApplicationPipeBind>.
    • Deploy the machine key to the farm in PowerShell using Update-SPMachineKey -WebApplication <SPWebApplicationPipeBind>.
  • Manually via Central Admin: Trigger the Machine Key Rotation timer job by performing the following steps:
    • Navigate to the Central Administration site.
    • Go to Monitoring -> Review job definition.
    • Search for Machine Key Rotation Job and select Run Now.
    • After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
• Analyze logs and file system for the presence of malicious files or attempts at exploitation, including
  • Creation of C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx file.
  • IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx and a HTTP referer of _layouts/SignOut.aspx.
  • Run the following Microsoft 365 Defender query to check if the spinstall0.aspx file was created on your server.
    • eviceFileEvents
    • | where FolderPath has “MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS”
    • | where FileName =~ “spinstall0.aspx”
    • or FileName has “spinstall0”
    • | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
    • | order by Timestamp desc
• Restrict internet exposure of SharePoint servers wherever possible. Use firewalls, VPNs, or zero-trust access controls to limit access only to trusted users and networks.
• Enable detailed logging and monitor SharePoint server activity for unusual behavior, such as unexpected file uploads or changes, and connections from unfamiliar IP addresses.
• Isolate SharePoint servers from other critical internal systems to reduce the risk of lateral movement if an attacker gains access.
• Raise awareness about this vulnerability and reinforce best practices for applying patches and maintaining secure configurations.

References

For more in-depth information about the recommendations, please visit the following links:

•  https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
• https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-server-hack-hit-about-100-organizations-researchers-say-2025-07-21/
• https://www.cve.org/CVERecord?id=CVE-2025-53770
•  https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

This post originally appeared on Smarter MSP.