Critical Microsoft SharePoint Vulnerability: A Growing Threat

Recent reports have shed light on a serious vulnerability affecting Microsoft SharePoint, with exploitation efforts dating back to July 7, 2025. Check Point Research revealed that attempts to exploit this critical flaw have already targeted a significant Western government, with increased activity noted on July 18 and 19 across various sectors, including government, telecommunications, and software in North America and Western Europe.

Nature of the Exploit

The attacks have been traced to three distinct IP addresses: 104.238.159.149, 107.191.58.76, and 96.9.125.147. Notably, one of these addresses has also been linked to previous exploits concerning vulnerabilities in Ivanti Endpoint Manager Mobile. According to Lotem Finkelstein, Director of Threat Intelligence at Check Point, the threats posed by this zero-day vulnerability are both urgent and sophisticated, endangering numerous organizations worldwide.

Finkelstein emphasized the critical nature of the situation, urging businesses to strengthen their security measures immediately. "We’ve seen dozens of attempted compromises since early July," he stated, highlighting that the exploit is both complex and rapidly evolving.

Vulnerabilities Identified

The attack chain primarily exploits CVE-2025-53770, a newly discovered flaw allowing remote code execution in SharePoint Server, and involves chaining it with CVE-2025-49706, a spoofing vulnerability patched during Microsoft’s July patch cycle. This combination enables attackers to gain initial access and escalate their privileges within compromised systems.

This month has revealed two sets of vulnerabilities in SharePoint:

• CVE-2025-49704 (CVSS score: 8.8) – Remote Code Execution (patched July 8, 2025)
• CVE-2025-49706 (CVSS score: 6.5) – Spoofing Vulnerability (patched July 8, 2025)

Additionally:

• CVE-2025-53770 (CVSS score: 9.8) – Remote Code Execution
• CVE-2025-53771 (CVSS score: 6.5) – Spoofing Vulnerability

The earlier vulnerabilities, referred to collectively as ToolShell, paved the way for the new flaws, which have been identified as variants indicating that they bypass the initial fixes.

Details of the Attack Methodology

Exploitation of CVE-2025-53770 involves a critical weakness in how SharePoint Server processes untrusted data. Attackers utilize malicious ASP.NET web shells to extract sensitive cryptographic keys. These keys are then employed to create and sign harmful payloads, allowing for unauthorized access and command execution on SharePoint Servers.

According to telemetry data from Bitdefender, the range of exploitation is vast, affecting numerous countries, including the United States, Canada, Germany, and Jordan. This indicates a global threat landscape that organizations need to take seriously.

Detection and Response

Palo Alto Networks Unit 42 has reported observing commands executed via PowerShell, with specific exploits geared toward creating files that run web shells to extract sensitive server information. The file spinstall0.aspx, for example, functions as a web shell capable of running various command functions to retrieve essential cryptographic material.

SentinelOne also highlighted its detection of different attack clusters, one of which deploys advanced techniques to avoid detection through in-memory execution without leaving files on disk. This method complicates forensic recovery and points to the sophistication behind the current exploitation attempts.

The Threat Landscape

Current estimates suggest that there are nearly 10,000 on-premise SharePoint servers online. With the nature of the sensitive information stored on these servers, they represent valuable targets for cybercriminals. The involvement of state-aligned threat actors, including those linked to China, raises alarms about the potential for extensive damage and breach of data across multiple sectors.

As organizations ramp up their security protocols, it is essential for them to act swiftly—updating security measures, rotating cryptographic keys, and restarting systems. With the name recognition and significant market presence of SharePoint, the urgent call for remediation has never been more critical for IT departments worldwide.

By staying informed and responsive, organizations can mitigate risks and protect themselves against these increasingly prevalent cyber threats.