Microsoft Rushes Emergency SharePoint Patches as New Zero-Days Fuel ToolShell Attacks
Two new zero-day vulnerabilities in Microsoft SharePoint are being actively exploited by threat actors to compromise organizations worldwide, prompting the company to issue urgent out-of-band patches.
New Exploits Bypass July’s Security Fixes
Microsoft has confirmed that attackers are leveraging CVE-2025-53770 and CVE-2025-53771, two previously unknown flaws that bypass earlier patches released in July for the infamous “ToolShell” exploit chain.
While the company addressed the original ToolShell vulnerabilities—CVE-2025-49704 and CVE-2025-49706—during Patch Tuesday, threat actors rapidly adapted, developing new techniques to bypass those fixes and resume remote code execution (RCE) attacks on on-premise SharePoint servers.
Microsoft notes that SharePoint Online customers are not impacted by these attacks.
Exploitation Already Underway
Security firm Eye Security first observed the new wave of attacks on July 18, after detecting a suspicious .aspx file execution on a client’s server. Investigations revealed attackers were uploading a malicious file named spinstall0.aspx to harvest machine keys and execute arbitrary commands.
Microsoft confirmed that over 85 servers had been compromised by the time the emergency updates were issued, and that 54 organizations have been impacted, including major corporations and U.S. government agencies.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Emergency Updates Issued for SharePoint
In response to the widespread exploitation, Microsoft has released emergency security updates for the following SharePoint versions:
The update for SharePoint Server 2016 is still in development.
Microsoft confirmed that these new patches offer more robust protections than the original July fixes and are designed to fully close the bypass vulnerabilities.
Mitigations and Key Rotation Urged
Admins are urged to rotate SharePoint machine keys after applying updates. This can be done via PowerShell using the Update-SPMachineKey cmdlet or through Central Administration by triggering the “Machine Key Rotation Job.”
Additionally, Microsoft recommends:
- Enabling AMSI integration (Antimalware Scan Interface) in SharePoint
- Deploying Microsoft Defender Antivirus on all SharePoint servers
- Temporarily disconnecting unpatched SharePoint servers from the internet
These steps are expected to help block unauthenticated exploitation attempts.
Trending: Using Favicon for OSINT
Trending: Recon Tool: ZoomeyeSearch
Detecting a Breach
Admins should inspect their systems for the following indicators of compromise (IOCs):
- Existence of
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx - IIS logs showing POST requests to
_layouts/15/ToolPane.aspxwith a referer of_layouts/SignOut.aspx
Microsoft also shared a Microsoft 365 Defender query to identify affected systems:
If this file or activity is detected, organizations are advised to immediately take the server offline and perform a full forensic investigation.
CISA Adds Vulnerabilities to KEV Catalog
Following the disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerability (KEV) catalog. Federal agencies are now required to apply patches as soon as they are available.
“We reached out to Microsoft immediately to take action,” said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity. “We are working with Microsoft to help notify potentially impacted entities about recommended mitigations.”
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
CISA Flags Actively Exploited VMware vCenter RCE in KEV Catalog
Reprompt Attack Lets Attackers Exfiltrate Data From Microsoft Copilot With a Single Click
Node.js Fixes Critical DoS Flaw That Could Crash “Virtually Every Production App”
Actively Exploited D-Link Router Flaw Enables Unauthenticated Remote Code Execution
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
