Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/

ONE SENTENCE SUMMARY:

A zero-day vulnerability in Microsoft SharePoint, CVE-2025-53770, has led to widespread exploitation, with ongoing efforts to mitigate and patch the issue.

MAIN POINTS:

1. Updated article reveals 54 organizations affected by SharePoint vulnerability.
2. CVE-2025-53770 has been exploited since July 18, affecting 85 servers.
3. Viettel’s “ToolShell” attack used chained SharePoint flaws CVE-2025-49706/49704.
4. Microsoft has not yet patched CVE-2025-53770; AMSI integration is recommended.
5. Enabling AMSI and Defender AV as mitigations prevent unauthenticated attacks.
6. SharePoint 2016/2019 updates include AMSI by default since September 2023.
7. Disconnect unprotected SharePoint servers to prevent exploitation.
8. CISA added CVE-2025-53770 to its Known Exploited Vulnerability catalog.
9. Over 29 organizations initially compromised, detected by Eye Security.
10. Attackers use “spinstall0.aspx” for MachineKey theft and RCE.

TAKEAWAYS:

1. Prompt application of upcoming SharePoint security patches is crucial.
2. Enabling AMSI and deploying Defender AV mitigates vulnerability risks.
3. Detecting specific IOCs can indicate compromised SharePoint servers.
4. Disconnect from the internet if unable to apply mitigations swiftly.
5. Monitoring for IP addresses associated with exploitation is essential.