A significant cybersecurity breach has emerged as a critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, permitting attackers to execute remote code prior to authentication. This vulnerability, rated with a CVSS score of 9.8, allows malicious actors to inject arbitrary code through the deserialization of untrusted data, exposing numerous organizations to attack.
An active and large-scale campaign has already compromised over 75 entities, primarily targeting on-premises SharePoint Server environments. Among these organizations are U.S. federal and state agencies, universities, and energy companies, as confirmed by reports on July 18 and 19, 2025. Two U.S. federal agencies and partners in Canada and Australia are currently under investigation for related breaches. The attacks highlight the risks of unpatched software, which significantly increases the likelihood of successful cyber attacks through known exploits.
The Cybersecurity and Infrastructure Security Agency (CISA) has warned that the impact may be widespread, as the scope of the vulnerabilities continues to be assessed. The exploitation occurs via crafted HTTP requests directed at the /layouts/15/ToolPane.aspx endpoint, permitting attackers to bypass authentication. Attacks are believed to be utilizing the exploited /layouts/15/ToolPane.aspx endpoint to extract sensitive information and escalate privileges.
By leveraging flaws from a previous vulnerability (CVE-2025-49704), attackers can forge trusted payloads with stolen machine keys, allowing them to access all SharePoint content and configuration files. Once inside, they establish footholds to conduct lateral movements within Windows domains and may likewise gain access to integrated services like OneDrive and Teams. This could lead to significant data theft and extensive security breaches within affected organizations.
In response, Microsoft released emergency patches for SharePoint Server 2019 and Subscription Edition, with further updates for SharePoint 2016 pending. CISA recommends immediate disconnection of affected servers from the internet until patches are applied.
Nevertheless, detection remains difficult because of blending malicious activities with legitimate operations, necessitating deep endpoint visibility. Industry experts from Trend Micro and Eye Security have independently verified the active exploitation, underscoring the need for vigilance in addressing this pervasive threat.
