Critical SharePoint RCE Exploit Hitting MSP Environments at Scale

By: Bryson Medlock

Mass exploitation of SharePoint vulnerability CVE-2025-53770 is delivering unauthenticated remote code execution to attackers targeting on-premise SharePoint servers globally. The "ToolShell" campaign has compromised over 75 organizations including US federal agencies, state governments, energy companies, and universities across multiple continents. 

From Research to Real-World Attacks 

The attack chain originated from legitimate security research presented at Pwn2Own Berlin in May 2025. Viettel Cyber Security researchers demonstrated how two SharePoint flaws could be chained together for unauthenticated remote code execution, dubbing the technique "ToolShell." Microsoft patched these original vulnerabilities (CVE-2025-49704 and CVE-2025-49706) July’s Patch Tuesday. Then a few days later, CODE WHITE GmbH researchers reproduced the exploit on July 14, posting a proof-of-concept screenshot on social media. Within four days, threat actors had weaponized a variant of this research into active attacks. CVE-2025-53770 represents this evolved bypass of Microsoft's July patches. 

The technical evolution was subtle but effective. Where the original ToolShell chain targeted the ToolPane endpoint directly, the new variant uses /_layouts/SignOut.aspx as an HTTP Referer header to circumvent Microsoft's authentication checks. This small modification transformed patched SharePoint servers back into vulnerable targets. 

Technical Attack Mechanics 

CVE-2025-53770 exploits SharePoint's deserialization processes through a multi-stage attack. The vulnerability stems from improper validation of user-supplied data, allowing attackers to inject malicious serialized objects that execute before authentication occurs. 

The attack follows a predictable pattern. First, attackers manipulate HTTP headers to bypass authentication controls at the ToolPane endpoint. Once inside, they exploit SharePoint's deserialization logic to extract the server's ValidationKey and DecryptionKey from memory or configuration files. These cryptographic keys are SharePoint's crown jewels—they're used to sign authentication tokens and validate user sessions. 

With stolen machine keys in hand, attackers can forge valid __VIEWSTATE payloads containing arbitrary code. SharePoint trusts these forged tokens because they're properly signed with the legitimate keys. The result is sustained, unauthenticated access that persists even after the server is patched, because the compromised keys remain valid until manually rotated. 

During exploitation, attackers typically drop a file named spinstall0.aspx in SharePoint's layouts directory. This webshell provides persistent backdoor access and serves as the primary mechanism for key extraction and lateral movement. 

Attack Scale and Victim Profile 

Eye Security's global scanning identified active exploitation across 8,000+ SharePoint servers worldwide, with confirmed compromises spanning North America, Europe, China, and Asia-Pacific regions. The Washington Post reported that victims include US federal and state agencies, energy companies, universities, European government agencies, an Asian telecommunications company, a Brazilian university, and local government offices. 

The attack timeline suggests coordination. Eye Security observed two distinct waves of exploitation: July 18 around 18:00 UTC and July 19 around 07:30 UTC. These weren't opportunistic scans but targeted campaigns hitting specific IP ranges and geographic regions. 

Three IP addresses consistently appeared in attack telemetry: 107.191.58.76, 104.238.159.149, and 96.9.125.147. The attackers demonstrated sophisticated infrastructure management, rotating between addresses and timing attacks to maximize impact while avoiding detection during business hours. 

The Machine Key Problem 

The most concerning aspect of this campaign isn't the initial compromise—it's the persistent access created through stolen machine keys. SharePoint uses these cryptographic secrets to validate all authentication tokens, session cookies, and viewstate objects. Once extracted, these keys become a "golden ticket" for long-term access. 

Even after applying Microsoft's patches, organizations remain vulnerable until they rotate these compromised keys. This creates a dangerous window where patched servers appear secure but remain fully accessible to attackers. The key rotation process requires careful coordination across SharePoint farms and typically necessitates brief service outages. 

Microsoft's detection signatures identify several malware families associated with this campaign, including variants labeled 'HijackSharePointServer' and 'ToolShell.Webshell'. However, the sophisticated nature of machine key abuse means attackers can maintain access through legitimate-looking authentication tokens that bypass traditional security controls. 

Why This Matters for MSPs 

This represents the largest SharePoint compromise in recent memory, with confirmed victims spanning critical infrastructure and government agencies. The unauthenticated nature of the exploit eliminates traditional security barriers—multi-factor authentication, network segmentation, and access controls all become irrelevant once the vulnerability is triggered. 

For MSPs managing client SharePoint environments, this campaign highlights a fundamental challenge: many organizations have lost track of their on-premise SharePoint deployments. SharePoint servers deployed years ago for document management or collaboration often remain unpatched and internet-accessible, creating attractive targets for opportunistic attackers. 

The persistence mechanisms enabled by stolen machine keys create long-term liability exposure. Unlike typical web application vulnerabilities that require sustained access to maintain persistence, this attack grants attackers the ability to authenticate legitimately for months or years after the initial compromise. 

Client communication becomes critical because the scope of this campaign extends beyond typical cybercriminal activity. When federal agencies and energy companies are confirmed victims of the same attack chain targeting your clients, it frames the conversation differently than routine security updates. 

The technical complexity of proper remediation—requiring both patching and key rotation with associated service outages—makes this an ideal scenario for demonstrating MSP value through coordinated emergency response and clear communication about ongoing risks. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to implement mitigations by July 21, underscoring the critical nature of this threat.