A zero-day vulnerability (CVE-2025-53770) was recently discovered in Microsoft SharePoint Server. The vulnerability is being exploited on a large scale out of practice, affecting dozens of organizations, including multinational corporations and government agencies. This is a highly technical attack that can be difficult to detect and can have serious consequences if not addressed in a timely manner.
1753087329043.png

The CVE-2025-53770 vulnerability is an upgraded variant of the CVC-49704 vulnerability (which was patched by Microsoft in early July). However, the previous patch was not thorough and was found to be surpassed by hacking groups.

CVE-2025-53770 exploits an error during the “deserialization” process, when SharePoint handles external input data without full authentication. This allows hackers to execute arbitrary code remotely without login (unauthenticated RCE).

The company also revealed another vulnerability, CVE-2025-53771, which it said had more protections than CV E-2 025 – 49706. This revealed two new zero-day vulnerabilities, both of which passed Microsoft’s initial bug fixes earlier this month.

The attack process goes in extremely delicate direction:

  • The hacker sends a malicious payload via HTTP to SharePoint, taking advantage of a weakness related to the HTP Referer header.
  • This payload contains ASPX malicious code that PowerShell uses to steal MachineKey (SharePoint internal encryption key)
  • With these keys in hand, the attacker can generate rogue code as “VIEWSTATE” (an ASP.NET mechanism used to save status between data send/receive).
  • These fake payloads are accepted as real by SharePoint and hackers can execute anything on the system, even maintaining long-term control, moving to other internal systems undetected.
According to statistics from experts:
  • At least 85 SharePoint servers have been successfully hacked to date.
  • These servers belong to 29 global organizations including large businesses and state agencies.
  • Without login, without manipulation from the user, as long as the system has a vulnerability and is connected to the internet, hackers can remotely gain control of the entire SharePoint Server.

In particular, Microsoft confirmed that SharePoint Online (in Microsoft 365) was unaffected, and that only Sharepoint on-premises systems were attacked.

Why is this hole so dangerous?

  • Executing the code remotely doesn’t require authentication, and hackers can “hack” into servers without a password.
  • Hiding is clever, using internal mechanisms to disguise valid inquiries.
  • This is difficult to handle, as after being exploited, hackers can use stolen keys to continue attacks, even after the system has been patched.

The official patches for CVE-2025-53770 and CVZ-1020-54771 are available, two new vulnerabilities patching old, incomplete errors. User needs update now.

If you can’t update immediately:

  • Disable the internet connection of the temporary SharePoint Server.
  • Activates the Antimalware Scan Interface (AMSI) feature available from the September 2023 update onward.
  • Install the Microsoft Defender Antivirus and Defender for Endpoint to monitor post-exploitation behavior.
  • Enhanced network monitoring and system logging, especially unusual access from tools such as PowerShell.
This SharePoint case exemplifies a type of zero-day attack that’s sophisticated, easy to leak, hard to detect and hard to fix without preparation.
Synthetic WhiteHat