On July 19, reports emerged that Microsoft SharePoint Servers worldwide were under active exploitation. Researchers at Eye Security published a blog post detailing their identification of an “active, large-scale exploitation” that was initially linked to a pair of vulnerabilities in SharePoint dubbed ToolShell. Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution.

“The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution. Organisations that may have been impacted could identify potential exploitation by searching for indicators of compromise, including a file created on the vulnerable servers called spinstall0.aspx, though it may include some other file extension. The attack surface for this vulnerability is large, at over 9,000 externally accessible SharePoint servers, and it is used by a variety of organisations. Patches have started to roll out late on July 20, including fixes for SharePoint Server 2019 and SharePoint Subscription Edition. A patch for SharePoint Server 2016 is not yet available but is expected to be released soon. We strongly advise organisations to begin conducting incident response investigations to identify potential compromise, otherwise, apply the available patches and review the mitigation instructions provided by Microsoft.” — Satnam Narang, Sr. Staff Research Engineer at Tenable