{"id":5492,"date":"2025-07-20T10:03:30","date_gmt":"2025-07-20T10:03:30","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/20\/sharepoint-0-day-rce-vulnerability-actively-exploited-in-the-wild-to-gain-full-server-access\/"},"modified":"2025-07-20T10:03:30","modified_gmt":"2025-07-20T10:03:30","slug":"sharepoint-0-day-rce-vulnerability-actively-exploited-in-the-wild-to-gain-full-server-access","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/20\/sharepoint-0-day-rce-vulnerability-actively-exploited-in-the-wild-to-gain-full-server-access\/","title":{"rendered":"SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access"},"content":{"rendered":"

SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed \u201cToolShell,\u201d enabling attackers to gain complete remote control over vulnerable systems without authentication.<\/p>\n

Eye Security, a Dutch cybersecurity firm, identified the active exploitation on July 18, 2025, revealing what security researchers describe as one of the most rapid transitions from proof-of-concept to mass exploitation in recent memory.<\/p>\n

Key Takeaways<\/mark><\/strong>
1. A critical SharePoint vulnerability (\"ToolShell\") is being actively exploited, giving attackers full, unauthenticated server control.
2. The attack steals server keys to bypass security and install persistent backdoors.
3. Patch immediately and scan for existing compromise, as the patch won't remove attackers already inside.<\/pre>\n
From Research to Weaponization in 72 Hours<\/strong><\/h2>\n
The vulnerability chain combines two critical security flaws, CVE-2025-49706<\/a> and CVE-2025-49704<\/a>, originally demonstrated at Pwn2Own Berlin 2025 in May by security researchers from CODE WHITE GmbH, a German offensive security firm.<\/p>\n
The exploit remained dormant until July 15, 2025, when CODE WHITE publicly shared their detailed findings on social media platforms after Microsoft\u2019s official patch release.<\/p>\n
Within just 72 hours of public disclosure, threat actors had successfully operationalized the exploit for large-scale coordinated attacks.<\/p>\n
Eye Security\u2019s comprehensive investigation revealed<\/a> that attackers began systematic mass exploitation on July 18, 2025, around 18:00 Central European Time, initially using IP address 107.191.58.76.<\/p>\n
A second distinct wave of attacks emerged from 104.238.159.149 on July 19, 2025, at 07:28 CET, clearly indicating a well-coordinated international campaign.<\/p>\n
The ToolShell exploit bypasses traditional authentication<\/a> mechanisms by targeting SharePoint\u2019s vulnerable \/_layouts\/15\/ToolPane.aspx<\/code> endpoint.<\/p>\n
Unlike conventional web shells designed primarily for command execution, the malicious payload specifically extracts sensitive cryptographic keys from SharePoint servers, including critical ValidationKey and DecryptionKey materials.<\/p>\n
\u201cThis wasn\u2019t your typical webshell,\u201d explained Eye Security researchers in their detailed technical analysis. \u201cThe attacker turns SharePoint\u2019s inherent trust in its own configuration into a powerful weapon\u201d.<\/p>\n
Once these cryptographic secrets are successfully obtained, attackers can craft completely valid __VIEWSTATE<\/code> payloads to achieve complete remote code execution without requiring any user credentials whatsoever.<\/p>\n
The sophisticated attack leverages techniques similar to CVE-2021-28474, exploiting SharePoint\u2019s deserialization and control rendering processes.<\/p>\n
By obtaining the server\u2019s ValidationKey, attackers can digitally sign malicious payloads that SharePoint automatically accepts as legitimate trusted input, effectively bypassing all existing security controls and defensive measures.<\/p>\n
Eye Security\u2019s comprehensive scan of over 1,000 SharePoint servers deployed worldwide revealed dozens of actively compromised systems across multiple organizations.<\/p>\n
The cybersecurity firm immediately initiated responsible disclosure procedures, directly contacting all affected organizations and national Computer Emergency Response Teams (CERTs) across Europe and internationally.<\/p>\n
\"ToolShell
ToolShell SharePoint Exploit Attack Statistics and Impact Analysis<\/figcaption><\/figure>\n
Microsoft has officially acknowledged the active exploitation threat, assigning a new CVE identifier (CVE-2025-53770) to track the specific variant being used in live attacks.<\/p>\n
\n
\n
\n
Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.<\/p>\n
We have outlined mitigations and detections in our blog. Our team is working urgently to release\u2026<\/p>\n
\u2014 Security Response (@msftsecresponse) July 20, 2025<\/a>\n<\/p><\/blockquote>\n