Critical SharePoint 0-Day Vulnerabilities Exploited

What happened

Two chained vulnerabilities impacting SharePoint servers were revealed during a security conference in May 2025, patched in July 2025: these vulnerabilities enable authentication bypass and remote code execution, enabling full takeovers of Sharepoint on-premise instances.

On July 18, massive exploitation campaigns were discovered by a security company.

More, on July 19, Microsoft disclosed that a variant of the original attack chain, newly tracked as CVE-2025-53770 and CVE-2025-53771, was seen in the wild. Around 10,000 exposed Sharepoint servers are at risk of compromise: dozens of hacked instances across the world, mainly in the US, Europe, and Asia, have been identified.

Update (22. July)

Since the release of our initial advisory on July 21 on thein the wild exploitation of two 0-days impacting SharePoint On-Premises instances, new information has emerged.Several PoCs and checkers have now been published. Palo Alto and Sophos have also provided new Indicators of Compromise (IOCs). According to Censys, the number of exposed SharePoint servers has not decreased and remains close to 10,000 instances. This number includes both still vulnerable and already patched servers.

On July 22 at 00:30 (CEST), Microsoft announced that all maintained versions of SharePoint now have a dedicated patch, including Microsoft SharePoint Enterprise Server 2016 version.

Several organizations have allegedly been compromised through these 0-days, including federal and state agencies in the United States, and companies across the finance, education, energy, and healthcare sectors.

Orange Cyberdefense’s CERT is actively monitoring this threat and analyzes and collects related IOCs (available to our Datalake customers). As a PoC is also now publicly available, we are maintaining the threat level of this advisory at the maximum rating of 5 out of 5.

Background analysis (added 25.07.)

Microsoft attributed the active exploitation of both series of SharePoint 0-days to three distinct China-linked threat groups. This attribution is based on technical, behavioral, and temporal analyses, with varying levels of confidence:

• Linen Typhoon (also tracked as APT27, TA428, etc.) is a Chinese state-sponsored cyber espionage group active for over a decade. It primarily focuses on stealing sensitive information from government, defense, and NGO sectors.
• Violet Typhoon (also tracked as APT31, Judgment Panda, etc.) is another known Chinese state-affiliated actor that targets political entities, NGOs, media outlets, and academic institutions across strategic regions such as the United States, Europe, and Asia. The Czech Ministry of Foreign Affairs claimed last May the group had tried to hack its systems since 2022.
• Storm-2603 is a new Chinese group tracked by Microsoft. It has no formal association with other known APT actors but has been observed in several recent ransomware operations, in particular delivering the Warlock malware family.

The data indicates a coordinated, large-scale exploitation campaign carried out by multiple sophisticated groups, with activity traced back to as early as July 7. The vendor identified the deployment of an ASPX web shell named svc_handler0.aspx, svc_handler1.aspx or svc_main.aspx. This web shell’s code matches previous samples linked to prior attacks attributed to Linen Typhoon, Violet Typhoon, and Storm-2603. The recurring use of this file, with identical logic and naming conventions, reinforces the connection with earlier campaigns.

The attribution is further supported by the reuse of known network infrastructure, including command and control (C2) servers associated with these threat actors. IP addresses such as 185[.]94[.]24[.]73, 92[.]223[.]119[.]208, and 212[.]86[.]102[.]134 were involved in post-exploitation communications already been flagged by Microsoft in prior threat activity. Such infrastructure overlap reflects either the reuse of compromised servers or shared operational control. Microsoft also documented the use of an encrypted tunnel established via the ngrok service, with a specific endpoint 34718cbb4c6.ngrok-free[.]app/file.ps1a used to deliver a PowerShell payload.

Alerts triggered by Microsoft Defender were also based on signatures for TTPs consistent with the trade craft of the three groups. Interestingly, Microsoft presumes a financial motive behind Storm-2603's specific attacks. This group dropped a Warlock ransomware encryptor on a hacked server and has previously conducted campaigns with LockBit strains. Warlock is a ransomware active since 2025, stemming from the Chaos family, and known for its destructive but unsophisticated encryption capabilities.

This malware encrypts files using random extensions and drops a ransom note named read_it.txt. It does not use a sophisticated negotiation interface, suggesting it is part of an opportunistic campaign rather than structured Ransomware-as-a-Service infrastructure, despite the existence of a Data Leak Site for double extortion with 19 listed victims as of today. Warlock has been observed targeting government institutions, as well as industrial, agricultural, and educational organizations. Known victims include Lactanet in Canada, the Polish space engineering company Astronika, and BTHK in Hong Kong.

As a reminder, the initial attack chain composed of responsibly disclosed vulnerabilities CVE-2025-49704 and CVE-2025-49706, and includes a small yet trivial variants tracked as CVE-2025-53770 and CVE-2025-53771. The original patches did not fully protect against exploitation. According to Viettel, who discovered the original vulnerability, the CVE-2025-53771 authentication bypass could simply be successfully leveraged through:

• /ToolPane.aspx/test.js
• /ToolPane.aspx/anything

Another endpoint than ToolPane.aspx could also be used for deserialization, as the /_vti_bin SharePoint directory continues to utilize the ExcelDataSet class, which eventually facilitates RCE. This discovery prompted a subsequent CVE-2025-53770 patch. Many technical details on the original flaws were provided in another article shared by Viettel.

Moreover, we anticipate a surge in opportunistic attacks against publicly exposed vulnerable systems, due to the public release of working exploit code and further technical details on the flaws. More webshells on instances are continually found, such as ghostfile<some digits>.aspx discovered by ESET.

Varying numbers of potentially compromised instances are circulating online, from a few dozen to several thousand, depending on the source. Eye Security and LeakIX believe more than 400 servers may have been compromised justified through scanning for the presence of malicious ASPX files. Public information about victims remains scarce, despite mentions of U.S. government bodies (Nuclear Weapons Agency, Department of Education, National Institutes of Health) or European government institutions mentioned in the media. Other unnamed victims in the justice, government, education or energy sectors have been disclosed. The first identified exploitation may have occurred as early as July 7.

The Orange Cyberdefense CSIRT team has began several incident responses for our clients since July 22.

Consequently, we maintain the risk level of this bulletin at the highest rating of 5 out of 5.

Update (22. July)

Since the release of our initial advisory on July 21 on thein the wild exploitation of two 0-days impacting SharePoint On-Premises instances, new information has emerged.Several PoCs and checkers have now been published. Palo Alto and Sophos have also provided new Indicators of Compromise (IOCs). According to Censys, the number of exposed SharePoint servers has not decreased and remains close to 10,000 instances. This number includes both still vulnerable and already patched servers.

On July 22 at 00:30 (CEST), Microsoft announced that all maintained versions of SharePoint now have a dedicated patch, including Microsoft SharePoint Enterprise Server 2016 version.

Several organizations have allegedly been compromised through these 0-days, including federal and state agencies in the United States, and companies across the finance, education, energy, and healthcare sectors.

Orange Cyberdefense’s CERT is actively monitoring this threat and analyzes and collects related IOCs (available to our Datalake customers). As a PoC is also now publicly available, we are maintaining the threat level of this advisory at the maximum rating of 5 out of 5.

What it means

EXPLOITATION DETAILS:

Palo Alto Networks has published a blog post observing three variations of the vulnerability chain exploitation.

The first involves executing a PowerShell command through a shell, which iterates through theweb.config files and stores the contents in a file nameddebug_dev.js.

The second and third variations both involve the IIS Process Worker (w3wp.exe) invoking a command shell to execute a Base64-encoded PowerShell command. Once decoded, the command creates a file namedspinstall0.aspx, which functions as a webshell capable of retrieving sensitive information such asValidationKeys,DecryptionKeys, and theCompatabilityMode from the server. The main difference between the second and third variant is the path where thespinstall0.aspx file is written:... 16\TEMPLATE\LAYOUTS vs.... 15\TEMPLATE\LAYOUTS. Furthermore, the third variation is distinguished by the renaming of variables into single characters and the addition of a call to the sleep function at the end of the command.

On top of the malicious ASPX payload calledspinstall0.aspx, private sources have also indicated other variations matchingspinstall*.aspx. Furthermore, Sophos and SentinelOne indicated publicly that other ASPX payloads are distributed under the nameinfo3.aspx andxxx.aspx.

Finally, Ján Trenčanský stated that tunneling tool Ngrok has been used to distribute PowerShell scripts in post-compromise activities and recommends hunting for connections to its domains. These observations are echoed by Charles Carmakal, CTO of Mandiant, which told the Washington Post that several threat actors, including one tied to China, are currently exploiting the vulnerability.

Wiz’s teams observed that 9% of cloud environments (e.g. on Azure or AWS) exposed to the Internet could be vulnerable to CVE-2025-53770 & CVE-2025-53771.

POC & CHECKERS ANALYSIS:

Several PoCs or checkers have been released to help administrators verify whether their instances are affected. They usually inject a malicious WebPart via the ToolPane.aspx page, aiming to trigger an unsafe .NET deserialization through theCompressedDataTable attribute. Some of these tests rely on the ability to insert aScorecard:ExcelDataSet component into the page content, with a base64-encoded field containing a payload designed to execute arbitrary code on the targeted server.

The script checks whether the/layouts/15/toolpane.aspx page is accessible, which is a prerequisite for exploitation. If the page is available, it sends a POST request to this URL in edit mode, with an HTML WebPart dynamically injected with the payload. This payload is either provided inline via--data or read from a file via--file, and encodes a .NET gadget chain, typically generated using a tool like ysoserial.net.

Once the WebPart is sent, SharePoint attempts to process it, which results in the deserialization of theCompressedDataTable field. If the server is vulnerable, this operation triggers the execution of the payload, which can connect to a command-and-control server specified via the --c2 option, to initiate a reverse shell or carry out other malicious actions.

In some cases, the checkers are designed to identify indicators of compromise, assess the status of local defenses, and recommend immediate mitigation actions if an incident involving relevant exploitation on SharePoint is detected.

The threat level remains the same for now at 5 out of 5, as we anticipate more opportunistic attacks will now occur against vulnerable exposed instances due to the public availability of exploitation code.

Affected versions of SharePoint

The attack chain relies on a spoofing issue based on how the application handles the HTTP Referer header provided to the ToolPane endpoint, enabling remote code execution.

The vulnerable Sharepoint versions include:

• Microsoft Microsoft SharePoint Enterprise Server 2016
• Microsoft Microsoft SharePoint Server 2019
• Microsoft Microsoft SharePoint Server Subscription Edition (3SE)

What you should be doing

1. Patches are now available for all of the three impacted versions and should be applied as soon as possible. 
2. For all customers, Microsoft advises deploying a mitigation: the AMSI security feature prevents vulnerable Sharepoint servers from being compromised by blocking unauthenticated requests exploiting the 0-day variant (CVE-2025-53770).
3. If you cannot enable AMSI or patch today, Microsoft recommends you disconnect your server from the Internet temporarily.
4. Another additional recommendation involves rotating SharePoint Server ASP.NET machine keys in an abundance of caution.
5. Additionally, we remind administrators to monitor all POST requests targeting /_layouts/15/ToolPane.aspx?DisplayMode=Edit.

Vulnerable servers must be patched as attackers are actively seeking out vulnerable SharePoint servers to exploit. If you can’t patch, our recommendations remain the same as indicated in our initial advisory. In particular, hunting for exploitation attempts is strongly encouraged. Please refer to Microsoft consumer guidance for more information on patching and/or mitigating the threat.