vulnerabilities
Unknown malefactors are actively attacking companies that use SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. By exploiting a chain of two vulnerabilities – CVE-2025-53770 (CVSS rating – 9.8) and CVE-2025-53771 (CVSS rating – 6.3), attackers are able to execute malicious code on the server remotely. The severity of the situation is highlighted by the fact that patches for the vulnerabilities were released by Microsoft late Sunday night. To protect the infrastructure, researchers recommend installing the updates as soon as possible.
The attack via CVE-2025-53770 and CVE-2025-53771
Exploitation of this pair of vulnerabilities allows unauthenticated attackers to take control of SharePoint servers, and therefore not only gain access to all the information stored on them, but also use the servers to spread their attack on the rest of the infrastructure.
Researchers at EYE Security state that even before the Microsoft bulletins were published, they had seen two waves of attacks using this vulnerability chain, resulting in dozens of servers being compromised. Attackers install web shells on vulnerable SharePoint servers and steal cryptographic keys that can later allow them to impersonate legitimate services or users. This way they can to gain access to compromised servers even after the vulnerability has been patched and the malware destroyed.
Relationship to CVE-2025-49704 and CVE-2025-49706 vulnerabilities (ToolShell chain)
Researchers noticed that the exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerability chain is very similar to the ToolShell chain of two other vulnerabilities, CVE-2025-49704 and CVE-2025-49706, demonstrated in May, as part of the Pwn2Own hacking competition in Berlin. Those two were patched by previously released updates, but apparently not perfectly.
By all indications, the new pair of vulnerabilities is an updated ToolShell chain, or rather a bypass of the patches that fix it. This is confirmed by Microsoft’s remarks in the description of the new vulnerabilities: “Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”
How to stay safe?
The first thing to do is install the patches, and before rolling out the emergency updates released yesterday, you should install the regular July KB5002741 and KB5002744. At the time of writing this post, there were no patches for SharePoint 2016, so if you’re still using this version of the server, you’ll have to rely on compensating measures.
You should also make sure that robust protective solutions are installed on the servers and that the Antimalware Scan Interface (AMSI), which helps Microsoft applications and services to interact with running cybersecurity products, is enabled.
Researchers recommend replacing machine keys in ASP.NET on vulnerable SharePoint servers (you can read how to do this in Microsoft’s recommendations), as well as other cryptographic keys and credentials that may have been accessed from the vulnerable server.
If you have reason to suspect that your SharePoint servers have been attacked, it is recommended that you check them for indicators of compromise, primarily the presence of the malicious spinstall0.aspx file.
If your internal incident response team lacks the in-house resources to identify indicators of compromise or remediate the incident, we advise you to contact third-party experts.
Tips